Loading ...

Play interactive tourEdit tour

Windows Analysis Report a3.exe

Overview

General Information

Sample Name:a3.exe
Analysis ID:498881
MD5:0cc6d274cd84b593210168f51fcd38cd
SHA1:666fc3963609f4aff528b9a32f7516feebaa6ddf
SHA256:a3bdb9880bf419f2023e4015545c6c72835dbc5c68cd14fd81d35220bf9449fa
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • a3.exe (PID: 6712 cmdline: 'C:\Users\user\Desktop\a3.exe' MD5: 0CC6D274CD84B593210168F51FCD38CD)
  • iexplore.exe (PID: 6308 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4596 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6308 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "vM/iQI7/pNgGz6lvtI6TzQegGf2XOLfA1qF/UUWP33fhMhAMf4GRSOJmruKfOpClZgy8d4EH5nDffMSHLLCNtrR+dtN+DP25KSbfLihidE/SjbLI0hsotYZGCDBmkB8RgNy5kRipILXyv4cW0eYiLVm2e5VaCkdKBqotkaZ6t0ybzDTZn1t0o5nqHQOYtQRW", "c2_domain": ["api5.feen007.at/webstore"], "botnet": "3500", "server": "550", "serpent_key": "IpNvMMQa29KhBf3e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.a3.exe.56294a0.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.a3.exe.4f60000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: a3.exeAvira: detected
                Found malware configurationShow sources
                Source: 00000000.00000002.576428660.0000000003410000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "vM/iQI7/pNgGz6lvtI6TzQegGf2XOLfA1qF/UUWP33fhMhAMf4GRSOJmruKfOpClZgy8d4EH5nDffMSHLLCNtrR+dtN+DP25KSbfLihidE/SjbLI0hsotYZGCDBmkB8RgNy5kRipILXyv4cW0eYiLVm2e5VaCkdKBqotkaZ6t0ybzDTZn1t0o5nqHQOYtQRW", "c2_domain": ["api5.feen007.at/webstore"], "botnet": "3500", "server": "550", "serpent_key": "IpNvMMQa29KhBf3e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: a3.exeVirustotal: Detection: 79%Perma Link
                Source: a3.exeReversingLabs: Detection: 89%
                Machine Learning detection for sampleShow sources
                Source: a3.exeJoe Sandbox ML: detected
                Source: 0.2.a3.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 0.0.a3.exe.400000.0.unpackAvira: Label: TR/Crypt.Agent.dffnu
                Source: 0.3.a3.exe.4e00000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 0.2.a3.exe.3410e50.1.unpackAvira: Label: TR/Patched.Ren.Gen

                Compliance:

                barindex
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\a3.exeUnpacked PE file: 0.2.a3.exe.400000.0.unpack
                Source: a3.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                Source: C:\Users\user\Desktop\a3.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_04F63EED Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_04F63EED

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49751 -> 87.106.18.141:80
                Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49751 -> 87.106.18.141:80
                Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                Source: Joe Sandbox ViewIP Address: 87.106.18.141 87.106.18.141
                Source: Joe Sandbox ViewIP Address: 87.106.18.141 87.106.18.141
                Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdbe7901a,0x01d7bbd1</date><accdate>0xdbe7901a,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xdbf84054,0x01d7bbd1</date><accdate>0xdbf84054,0x01d7bbd1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: {063EC3E5-27C5-11EC-90E9-ECF4BB862DED}.dat.7.dr, ~DF1728008F459C4534.TMP.7.drString found in binary or memory: http://api5.feen007.at/webstore/DcjIiNGkOSL0_2FzFS0SI/7PtL4T1ixNrirqXI/ZpdUtfjmbk9XGDI/gk7_2BOWav_2F
                Source: msapplication.xml.7.drString found in binary or memory: http://www.amazon.com/
                Source: msapplication.xml1.7.drString found in binary or memory: http://www.google.com/
                Source: msapplication.xml2.7.drString found in binary or memory: http://www.live.com/
                Source: msapplication.xml3.7.drString found in binary or memory: http://www.nytimes.com/
                Source: msapplication.xml4.7.drString found in binary or memory: http://www.reddit.com/
                Source: msapplication.xml5.7.drString found in binary or memory: http://www.twitter.com/
                Source: msapplication.xml6.7.drString found in binary or memory: http://www.wikipedia.com/
                Source: msapplication.xml7.7.drString found in binary or memory: http://www.youtube.com/
                Source: unknownDNS traffic detected: queries for: api5.feen007.at
                Source: global trafficHTTP traffic detected: GET /webstore/DcjIiNGkOSL0_2FzFS0SI/7PtL4T1ixNrirqXI/ZpdUtfjmbk9XGDI/gk7_2BOWav_2FtIxdS/vSo3lpggS/jgk05AsnNx5dVlLwmu_2/FAFwkzA53QftC8xz3wT/fnjkouYQNR37gBMDH6qXvg/zMFbyF4s1JmGD/y5Fu3aSV/TmUAsAO_2BZNh80x_2FL9QD/SJCaUL6t8y/cM9WgnTGqUY3ueTtK/VgEDjaagDntZ/uB1lRFThucd/4921ywV6NYjMkC/jnp_2BoOlFuQm1snVe_0A/_0DPF5OO0IeFwPM_/2FxPK7FahYNj2AP/3bZ4D9BzvVH_2BCtQdVgfC/l HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api5.feen007.atConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api5.feen007.atConnection: Keep-Alive

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

                E-Banking Fraud:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

                System Summary:

                barindex
                Writes or reads registry keys via WMIShow sources
                Source: C:\Users\user\Desktop\a3.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                Source: C:\Users\user\Desktop\a3.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\a3.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\a3.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Writes registry values via WMIShow sources
                Source: C:\Users\user\Desktop\a3.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\a3.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\a3.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: a3.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_04F6AEE40_2_04F6AEE4
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_04F62D680_2_04F62D68
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_0041C47A0_2_0041C47A
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_0041E35E0_2_0041E35E
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_0041CF020_2_0041CF02
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_0041E9800_2_0041E980
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_0041C9BE0_2_0041C9BE
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_00401000 NtMapViewOfSection,0_2_00401000
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_00401147 GetProcAddress,NtCreateSection,memset,0_2_00401147
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_04F6104E NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_04F6104E
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_04F6B105 NtQueryVirtualMemory,0_2_04F6B105
                Source: a3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: a3.exeVirustotal: Detection: 79%
                Source: a3.exeReversingLabs: Detection: 89%
                Source: a3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\a3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_04F6365A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_04F6365A
                Source: unknownProcess created: C:\Users\user\Desktop\a3.exe 'C:\Users\user\Desktop\a3.exe'
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6308 CREDAT:17410 /prefetch:2
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6308 CREDAT:17410 /prefetch:2Jump to behavior
                Source: C:\Users\user\Desktop\a3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF8F568B21079AA7B9.TMPJump to behavior
                Source: classification engineClassification label: mal100.troj.evad.winEXE@4/14@1/1
                Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\a3.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\a3.exeUnpacked PE file: 0.2.a3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\a3.exeUnpacked PE file: 0.2.a3.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_04F6AED3 push ecx; ret 0_2_04F6AEE3
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_04F6ABA0 push ecx; ret 0_2_04F6ABA9
                Source: initial sampleStatic PE information: section name: .text entropy: 7.38003707514

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\a3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\a3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\a3.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_04F63EED Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_04F63EED
                Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmpBinary or memory string: Progman
                Source: a3.exe, 00000000.00000002.577880943.00000000039F0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\a3.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,0_2_00401ED0
                Source: C:\Users\user\Desktop\a3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_04F6660B cpuid 0_2_04F6660B
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_00401A35 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401A35
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_00419FF0 LoadLibraryExA,CreateNamedPipeA,GetVersionExA,DeactivateActCtx,WriteFile,WritePrivateProfileStructA,IsDBCSLeadByteEx,SetFileApisToOEM,TlsGetValue,GetThreadPriority,0_2_00419FF0
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_00401497 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_00401497
                Source: C:\Users\user\Desktop\a3.exeCode function: 0_2_04F6660B wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_04F6660B

                Stealing of Sensitive Information:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.357686500.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357510029.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357882018.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357642343.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357596269.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357766814.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.578307195.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357549475.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.357827984.0000000005E78000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: a3.exe PID: 6712, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.a3.exe.56294a0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.a3.exe.4f60000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.578224187.0000000005629000.00000004.00000040.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection3Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection3LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery33VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet