Windows Analysis Report yRqHWQ91dT

ID:	508840
Product:	CloudBasic
Start time:	17:05:27
Start date:	25.10.2021
Sample:	yRqHWQ91dT
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b50ffa06eca2b3a4d92562561fc6b2d1
SHA1:	4cdbdb338a22fd11f0fcc973598e25ba54529db3
SHA256:	a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\530d7b.rbs	data	1B30CF4F480C59E05A5C1540289760CA	37786DEA0D2A951B5DFAE6E02652EDF272AD9C19	94BC18376E4915500F830DEBC436AA330A44346526D28634BA250794286B2FF3
C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2E68BFCA-136D-489B-99E7-02370AE416AC}, Number of Words: 10, Subject: CSS Validator, Author: Hemoco bvba, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200	4C0F425E456ED7904F1B207FAD617EBE	56304F5446B7DB91314E252143E59353072A6F28	A14D402C30E55AC43A83596A1D2832A730A7EB3A056E9420AC725B0EF02A176A
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\LICENSE.electron.txt	ASCII text	F8436F54558748146EC7EBD61CA6AC38	EF226E5B023D458EFCDC59DC653694D89802F81C	34F6F27C26D1BB8682EBB42AE401F558228FD608455BD7C6561D5FD500B7D05B
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\License.txt	ASCII text, with very long lines, with CRLF line terminators	CBD32695674DCFBA5C4609DEFCAFDF55	6F5C934CB49845AF6B59683544A95A7E4B515DCE	2568688DD3418B21FD0D4CD416C1A759DE9DAE759E192BCCF834D3EC2E1E7F2C
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\ReadMe.txt	ISO-8859 text, with CRLF, CR line terminators	8EB0D56C86DA3080CFE2F9BAB6D6318C	A63256C40D34B844D2DB2F2DFB2A6C068F2F1E19	091CBA047A79B4BE6A10FF265153D44C8474CC24FBC0B9C17775F481738AE8DD
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	E3DDBE5680FAD01D0E5B7B963181BC06	BECCE75CDA9222511E9F8D480B145CE6C24A6CCF	07A2736DF9434B0FBBC5C441A76726CA66EB21554622B5F09D797EA01DF9F0C7
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	358BF09045A59A1B85ACD9BC0A592904	53CF59D7B192F570D528B4D5C72DFA7AC25E1D7B	6BE5D612830990F4185DEA66B4BAABE191D641A3A97E081A2F62FBADF2AF5B0F
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	6A5E8F425D04F3BC66360F2BF07688A4	E7627232FD39730D90F11D979F1DAC6356A5244A	2A45581E2ED65CAE497A199A56F311FA08B3D8C1B777E936F15D04D0B96923D1
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	B7102F54D13AF5F4B66B12692DDE2D51	8A5619C2AA731AACF9D83EAFF3133FE0C63659DB	C6CB095CEA1A39307A0579E9EC7C7D7161D04E88A245476417FE0C7D12A9B85E
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3301FD842AC418CF18BC96FA52D2D497	80B32039DF1C2439046DFCB30120D7BE8FACEAAB	91CA98A59CE9B3347F6F23A0C52C714C4E56AE862956D9465E12E6D07EF87CD6
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\assets\goal_achieved.png	PNG image data, 889 x 886, 8-bit/color RGBA, non-interlaced	A2B879334ED0DED12343695E26E30554	581DCF49F959F35B13A71705B917A61658BD7836	ECDBDF4A3A32936E79327FD7CA276340E89960CCB6CAA665A27BBB8EA774C83D
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\assets\goal_progress.png	PNG image data, 1024 x 1024, 8-bit/color RGBA, non-interlaced	3559215A74E795F065A0EBA888FAB63E	78834C228B2BCEF9A2D22D8B407BFF1901955043	8EB9852560A3E6ED0790A8B40CEDEEEFF8A39D6F2985738EC81DFE9445F61D8A
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A0052D6EAC0D6D4296DE89213447416D	2F3ED143855A0490D8E3EC564FE27A3F72FA4916	C57A1C9570FF6CEFF0A08770A142C348B5B3E5B2C03417C03C0FBFFB7707069F
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E4B0061BFC552111AA9F6A63AC61B1B9	2F4F9A0E179EB17FF077C3BBA30C09E1EA0E0C0F	17C8685F54EFD76AE5C3171F146910772B49A3D733CDA66E2FBC5C64CE800214
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\qclp2.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7FC7D8096392A3887F53F85A570137C6	18822D95CDB79D25ACFCFFED8395CC208AA03D04	F6B6D5C0EA15112F428A83B923B879EC43AA54D7677AD29E763532881509DEED
C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\zmq	PDF document, version 1.5	DCED29FE7B0769AF598BE6684DD85677	DF5808C075F7AD586A858D1B71449C954C648A37	84855FF6E0BB4BB79E4CC13B600C26633340CAA3FDEC16504E7006777213C0F4
C:\Windows\Installer\530d79.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2E68BFCA-136D-489B-99E7-02370AE416AC}, Number of Words: 10, Subject: CSS Validator, Author: Hemoco bvba, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200	4C0F425E456ED7904F1B207FAD617EBE	56304F5446B7DB91314E252143E59353072A6F28	A14D402C30E55AC43A83596A1D2832A730A7EB3A056E9420AC725B0EF02A176A
C:\Windows\Installer\530d7c.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2E68BFCA-136D-489B-99E7-02370AE416AC}, Number of Words: 10, Subject: CSS Validator, Author: Hemoco bvba, Name of Creating Application: Advanced Installer 18.7 build 0a7fdead, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200	4C0F425E456ED7904F1B207FAD617EBE	56304F5446B7DB91314E252143E59353072A6F28	A14D402C30E55AC43A83596A1D2832A730A7EB3A056E9420AC725B0EF02A176A
C:\Windows\Installer\MSI14BC.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	3D24A2AF1FB93F9960A17D6394484802	EE74A6CEEA0853C47E12802961A7A8869F7F0D69	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
C:\Windows\Installer\MSI17DA.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	3D24A2AF1FB93F9960A17D6394484802	EE74A6CEEA0853C47E12802961A7A8869F7F0D69	8D23754E6B8BB933D79861540B50DECA42E33AC4C3A6669C99FB368913B66D88
C:\Windows\Installer\MSI1C62.tmp	data	77E5D1C2DBBFE347BA7AD0E9804631A7	C5EE351655A1F9A078EBA531A0FD492D9FC91F7A	BC0A8B364763524A9FEDBDBF089D57881E0EE0DB6F3ADF132E062347B22F1C5C
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D3BF7F2FE7D96CF90EB3393D278780A1	BD85EE8A111C1314DCC2658ABCA971B037E4A016	37E9A251EE2D4D666A49C8252CEFCDC9344F267463F31C1D9E8D5DBEB7912D30

AV Detection:

Found malware configuration

Source: 9.2.audiodent.exe.7f70000.1.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "GP2bItvzCMVimwFhSq2LMu3Hl69+F5VOC4HbUzLcgCFvHPQPwYycui0JiyqQuwt1jV1IDboN9TEBxLB8CQWBGqcjZkZnRvT4fL8wjq8CCeHOLprVhSXFIxyR2QXzTHDcHr2ux9/r22BaiLqlqlqcKQ1PI6I3WFn39M0K5k1WypMPthcpEVFSO8sVBHvcqRSV", "c2_domain": ["get.updates.avast.cn", "huyasos.in", "curves.ws", "huyasos.in", "rorobrun.in", "huyasos.in", "tfslld.ws", "huyasos.in"], "botnet": "2002", "server": "12", "serpent_key": "44004499FJFHGTYB", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Multi AV Scanner detection for submitted file

Source: yRqHWQ91dT.exe

Virustotal: Detection: 13%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.audiodent.exe.980000.0.unpack

Avira: Label: TR/Crypt.XPACK.Gen7

Cryptography:

Public key (encryption) found

Source: audiodent.exe, 00000009.00000002.524473381.000000006EC22000.00000002.00020000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJJidwS/uILMBSO5DLGsBFknIXWWjQJe2kfdfEk3G/j66w4KkhZ1V61Rt4zLaMVCYpDun7FLwRjkMDSepO1q2DcCAwEAAQ==-----END PUBLIC KEY-----

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack

Uses 32bit PE files

Source: yRqHWQ91dT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Creates license or readme file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\License.txt			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\ReadMe.txt			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\LICENSE.electron.txt			Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: yRqHWQ91dT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256 source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdbSHA256y source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdb source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: 530d7c.msi.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 530d7c.msi.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb,88 source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr

Spreading:

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_0040646B FindFirstFileA,FindClose,		1_2_0040646B
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004027A1 FindFirstFileA,		1_2_004027A1
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		1_2_004058BF

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VM-HOSTINGRU VM-HOSTINGRU

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443

URLs found in memory or binary data

Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://apache.org/xml/UnknownNSUCS4UCS-4UCS_4UTF-32ISO-10646-UCS-4UCS-4
Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: audiodent.exe, 00000009.00000000.279173277.00000000011AD000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHhttp://apache.org/xml/messages/XML
Source: 530d7c.msi.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 530d7c.msi.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: yRqHWQ91dT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: yRqHWQ91dT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 530d7c.msi.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 530d7c.msi.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 530d7c.msi.4.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://t2.symcb.com0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 530d7c.msi.4.dr	String found in binary or memory: http://tl.symcd.com0&
Source: 530d7c.msi.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ReadMe.txt.4.dr	String found in binary or memory: http://www.grsoftware.net/downloads/grbackpro/grbakpro.pdf
Source: ReadMe.txt.4.dr	String found in binary or memory: http://www.grsoftware.net/home/buynow.html
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: http://www.mega-nerd.com/libsndfile/
Source: audiodent.exe.4.dr	String found in binary or memory: https://bitbucket.org/Coin3D/
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: https://bitbucket.org/Coin3D/error
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/I
Source: audiodent.exe, 00000009.00000002.523746525.0000000007BDF000.00000004.00000001.sdmp	String found in binary or memory: https://get.updates.avast.cn/sreamble/L9cG8Vo2GQztGm0qovd/ps29AL3_2BtYxlbeUwyhe0/qJy1kBhZdmLJX/23gke
Source: SQLitePCLRaw.core.dll.4.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.raw
Source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawF
Source: SQLitePCLRaw.core.dll.4.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawX
Source: audiodent.exe, 00000009.00000002.521033898.0000000001048000.00000002.00020000.sdmp, audiodent.exe.4.dr	String found in binary or memory: https://groups.google.com/forum/#
Source: audiodent.exe, 00000009.00000002.523718501.0000000007BD4000.00000004.00000001.sdmp	String found in binary or memory: https://huyasos.in/
Source: audiodent.exe, 00000009.00000002.523890285.0000000007F5B000.00000004.00000010.sdmp	String found in binary or memory: https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO
Source: audiodent.exe, 00000009.00000002.523791607.0000000007C02000.00000004.00000001.sdmp	String found in binary or memory: https://huyasos.in/sreamble/1Cy_2BOoNkPfZNI/cBFrvY8_2BuNL_2FRI/EvMKECOy8/d_2Bs3isSO64yzYzMTFW/VpmMJy
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ReadMe.txt.4.dr	String found in binary or memory: https://www.grsoftware.net
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: 530d7c.msi.4.dr	String found in binary or memory: https://www.thawte.com/repository0W

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: get.updates.avast.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

Installs a raw input device (often for capturing keystrokes)

Source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp

Binary or memory string: GetRawInputData

Installs a global mouse hook

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Windows user hook set: 0 mouse low level C:\Windows\System32\dinput8.dll

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_0040535C

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

System Summary:

PE file has a writeable .text section

Source: audiodent.exe.4.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Writes or reads registry keys via WMI

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: yRqHWQ91dT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI14BC.tmp

Jump to behavior

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403348

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\530d79.msi

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_00406945		1_2_00406945
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_0040711C		1_2_0040711C
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EA5C160		9_2_6EA5C160
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7AFC0		9_2_07F7AFC0
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F77FBE		9_2_07F77FBE
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7836E		9_2_07F7836E

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_00981C90 GetProcAddress,NtCreateSection,memset,		9_2_00981C90
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_00981703 NtMapViewOfSection,		9_2_00981703
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_009819A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,		9_2_009819A0
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F79A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		9_2_07F79A0F
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7B1E5 NtQueryVirtualMemory,		9_2_07F7B1E5

PE file contains strange resources

Source: yRqHWQ91dT.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: audiodent.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Section loaded: libtrg2.dll			Jump to behavior

Sample is known by Antivirus

Source: yRqHWQ91dT.exe

Virustotal: Detection: 13%

Sample reads its own file content

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

File read: C:\Users\user\Desktop\yRqHWQ91dT.exe

Jump to behavior

PE file has an executable .text section and no other executable section

Source: yRqHWQ91dT.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\yRqHWQ91dT.exe 'C:\Users\user\Desktop\yRqHWQ91dT.exe'
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i 'C:\Users\user\AppData\Local\Temp\CssValidatorInstallerTemp\CssValidator.msi' /qn /norestart			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7A8FDEF089EF820D04B2E0639E42DA17			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403348

Creates files inside the user directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Hemoco bvba

Jump to behavior

Creates temporary files

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

File created: C:\Users\user\AppData\Local\Temp\nsz2BB.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/22@3/1

Contains functionality to instantiate COM classes

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_0040216B CoCreateInstance,MultiByteToWideChar,

1_2_0040216B

Reads ini files

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to check free disk space

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_0040460D

Contains functionality to enum processes or threads

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_07F78F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

9_2_07F78F1B

Found detection on Joe Sandbox Cloud Basic with higher score

Source: yRqHWQ91dT

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Creates mutexes

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Mutant created: \Sessions\1\BaseNamedObjects\COIN_LIBRARY_PROCESS_5656

Reads the hosts file

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Submission file is bigger than most known malware samples

Source: yRqHWQ91dT.exe

Static file information: File size 7580858 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: yRqHWQ91dT.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256 source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: SQLitePCLRaw.core.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdbSHA256y source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.e_sqlcipher.most\obj\Release\netstandard2.0\SQLitePCLRaw.provider.e_sqlcipher.pdb source: SQLitePCLRaw.provider.e_sqlcipher.dll.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbj source: 530d7c.msi.4.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlcipher.dllimport\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: SQLitePCLRaw.batteries_v2.dll.4.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 530d7c.msi.4.dr
Source:	Binary string: C:\pdb\pdb\AppData\Service\dkdockhost\WPF\Data\ExpressAuthentication\Csv.pdb,88 source: audiodent.exe, 00000009.00000000.279418131.0000000001217000.00000002.00020000.sdmp, audiodent.exe.4.dr

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Unpacked PE file: 9.2.audiodent.exe.980000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7AFAF push ecx; ret		9_2_07F7AFBF
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7E9AC push 0B565A71h; ret		9_2_07F7E9B1
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7E62F push edi; retf		9_2_07F7E630
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_07F7AC00 push ecx; ret		9_2_07F7AC09

PE file contains sections with non-standard names

Source: libEGL.dll.4.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.4.dr	Static PE information: section name: .voltbl

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_00981264 LoadLibraryA,GetProcAddress,

9_2_00981264

PE file contains an invalid checksum

Source: yRqHWQ91dT.exe	Static PE information: real checksum: 0x0 should be: 0x742c54
Source: libEGL.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x1b503
Source: audiodent.exe.4.dr	Static PE information: real checksum: 0xa095fa should be:
Source: qclp2.dll.4.dr	Static PE information: real checksum: 0x403d8b should be: 0x4105cf
Source: Typography.GlyphLayout.dll.4.dr	Static PE information: real checksum: 0x0 should be: 0x73e6

Binary contains a suspicious time stamp

Source: SQLitePCLRaw.batteries_v2.dll.4.dr

Static PE information: 0xA466DFED [Sun May 27 16:10:21 2057 UTC]

Persistence and Installation Behavior:

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\zmq

Jump to dropped file

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\qclp2.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17DA.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI14BC.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17DA.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI14BC.tmp			Jump to dropped file

Creates license or readme file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\License.txt			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\ReadMe.txt			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\LICENSE.electron.txt			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Process information set: NOGPFAULTERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe TID: 2200

Thread sleep time: -240000s >= -30000s

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.core.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\Typography.GlyphLayout.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.batteries_v2.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\libEGL.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.e_sqlcipher.dll			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI17DA.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\SQLitePCLRaw.provider.dynamic_cdecl.dll			Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Thread delayed: delay time: 240000

Jump to behavior

Queries a list of all running processes

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_0040646B FindFirstFileA,FindClose,		1_2_0040646B
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004027A1 FindFirstFileA,		1_2_004027A1
Source: C:\Users\user\Desktop\yRqHWQ91dT.exe	Code function: 1_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		1_2_004058BF

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Thread delayed: delay time: 240000

Jump to behavior

Checks the free space of harddrives

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_6EA60A70 LoadLibraryW,GetProcAddress,SetThreadDescription,GetCurrentThread,SetThreadDescription,IsDebuggerPresent,RaiseException,

9_2_6EA60A70

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_00981264 LoadLibraryA,GetProcAddress,

9_2_00981264

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB36EF7 mov eax, dword ptr fs:[00000030h]		9_2_6EB36EF7
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB33A55 mov eax, dword ptr fs:[00000030h]		9_2_6EB33A55
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB36F7F mov eax, dword ptr fs:[00000030h]		9_2_6EB36F7F

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB25F3D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		9_2_6EB25F3D
Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe	Code function: 9_2_6EB16501 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		9_2_6EB16501

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: audiodent.exe, 00000009.00000002.523021311.00000000021E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_07F77A2E cpuid

9_2_07F77A2E

Contains functionality to query local / system time

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_00981E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

9_2_00981E22

Contains functionality to query windows version

Source: C:\Users\user\Desktop\yRqHWQ91dT.exe

Code function: 1_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403348

Contains functionality to query the account / user name

Source: C:\Users\user\AppData\Roaming\Hemoco bvba\CSS Validator\audiodent.exe

Code function: 9_2_07F77A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

9_2_07F77A2E

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000009.00000003.462453858.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462430424.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.524066037.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462394649.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462483110.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462302321.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462367584.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462337552.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.462470017.0000000008A28000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodent.exe PID: 5656, type: MEMORYSTR
Source: Yara match	File source: 9.2.audiodent.exe.7f70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.audiodent.exe.83b94a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.524018514.00000000083B9000.00000004.00000040.sdmp, type: MEMORY