Windows Analysis Report
Invoice_7892_18Oct.html

Overview

General Information

Sample Name: Invoice_7892_18Oct.html
Analysis ID: 725636
MD5: 381a9e7c191245cc7e014e19a2c19442
SHA1: f748050e061bb407d06a38009b7669783a1e0936
SHA256: 7d04f52af134980eef9544350ee216457910e7531a60c88ec9fa80daae59c2d3
Tags: 5000htmlUrsnif
Infos:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Ursnif
Snort IDS alert for network traffic
Found stalling execution ending in API Sleep call
HTML document with suspicious title
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
HTML document with suspicious name
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 7zip to decompress a password protected archive
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains capabilities to detect virtual machines
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Antivirus or Machine Learning detection for unpacked file
Source: 14.2.xxl.exe.10000000.5.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 14.2.xxl.exe.31b0000.3.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "oZWPUqrPbA1nh5KeblvW58CGuN1e4qDR3J71aATar5O00raqKE8xUkhFQUaw8R0BlZUnpL1tyzW+efqFkhCLYWrMw9nZJeYEd473/0tPEq2VGwv1oB9Pv2/fdgDd6u50PW0dH+R3uMkcvvSQWa4B8bKoi7inCm10C8UL7vaPiLpNIvtqiX4DmnU8XJVFUqOUDuOPHQVcBCPrZcWDAnVXnLWrHhRfXLI5WYFsVRJSde33pVRkM7XdYHtOhkTQlmghQJYxytxJ0sf95vDL6iv7epWQHBvzkG4uQNqLKhs25dvCXYJYNvjJXuqOqa9OkYezI8hW7hiiyxvLszulw2SxcIP0Ki+iShbrMtTsnnUoNQ4=", "c2_domain": ["config.edge.skype.com", "onlinetwork.top", "linetwork.top"], "botnet": "5000", "server": "50", "serpent_key": "7Lmoq8QMk7P7gY63", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 14_2_031B47E5
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
Source: Binary string: rundll32.pdb source: xxl.exe, xxl.exe, 0000000E.00000000.368749240.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, xxl.exe.12.dr
Source: Binary string: rundll32.pdbGCTL source: xxl.exe, 0000000E.00000000.368749240.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, xxl.exe.12.dr

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:60284 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49740 -> 31.41.44.194:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49740 -> 31.41.44.194:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASRELINKRU ASRELINKRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: Invoice_7892_18Oct.html String found in binary or memory: https://fonts.googleapis.com/css2?family=Open
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown DNS traffic detected: queries for: accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B4F4B ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError, 14_2_031B4F4B
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /drew/UogjlH55j3MBdVW7Zgv8/7VAIAiwJ_2FicnQxfIo/vdYsidWojPlxWiOLycfrCH/0jMFVE77apOpr/yiV9EWj6/4LmIXy_2FzHYZsf_2BzbbER/6LftEOfnlg/Uzke2V7qIbQmNXXHb/tnLubrQ7fIkI/GL44ItzX_2B/5weW8TeiFRMx3R/0FalNtY_2FOlb5Arb_2Fa/ayhw4EzvdF98V_2F/QvfDYcXOi_2FxiR/FUnDGyMWNFOFvK99Tq/AboGOqHpH/FFIxlK22ZxSjYALa3Nyd/r2bY6gbX_2BKLnqSzWK/N5bQl56P/1.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: onlinetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /drew/0J0YP9e_2BE7jjAw7XL/AjrHr6NCwO_2Fgj3xqU8HO/e5KwJWvAPxhz7/Er8_2FGw/w6mbMJPoDfQgM_2F5q_2BTA/2EWmrv1LcM/HkHdywibkWgZEZttV/CVVHNFdmhCzK/32gECX5_2BF/KHHudCe_2FBTtm/7PKDpa0dUHWbR_2B1kpX9/AWYTWzr3Mrqxmvg2/b3_2B3bUAXRAtbT/lS0IcV4DbS6jYYG_2F/Ohgp0G9Gj/CtOwH_2BiEVt378VRySb/pgZSH7eC_2Bee3HXiCJ/BjrtGyiuFj_2Fduvn85Qkm/9VcCSZNN/bQ6ATZ6.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /drew/9HjvFMPL_/2BodLadHv2Ij_2BnGRof/O5HwRn2RgD6rqZ1SvG5/VMrxgkKm7ed8PnDV4333Df/zIgAPypmoxSLi/8BFA8aIq/BD3jcPWLpFftdB57Hvs_2Bt/pdv8XCmdY6/t4jYCo1nX0gAaeZmr/b90Tdg7fzlxH/cqhZiWRACEm/b39xMwhhk6CBY5/vAnGlr5gQfe7832Po6dgp/kFDd8JW_2BQt2yuf/g3y_2BsnEgcapzm/FqXLCXTc0ul_2Fu7dh/W1oq_2BeZ/dlpTOTrr2A44rzvoNR9t/Ed7vICgSqP/MZk6s.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: onlinetwork.topConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /drew/TVgVtfJMME1TQDqbWdYo/ezMinaihuLtBtHa0yLo/29N_2BdcUX8GiKCW_2FFcH/G2EEXMAEzocHs/1j0yJOR1/eGMTPdpRhncWUghvDrmpfdi/eKYCLFtVRB/CVYtk9exYzeSrEd9o/r1M5RtNeelrL/BOq3WhytwH0/LSHm7cB7uN0f_2/BOF5OriNbSGHY_2Bu3zcM/HQrJ_2FDizJQq2kU/CdUDwQJw3ybpG6w/prA2XAjnZImMTnv_2B/y35swvqbW/8ll_2FkkiqSxdgXsTIPh/ZgYm_2BBwbPVDYoRfa8/RjAv97g.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: linetwork.topConnection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 0000000E.00000003.424404208.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424565184.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424527278.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424606471.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.641720326.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.719654681.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424635510.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424671008.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424712096.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424336717.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xxl.exe PID: 6504, type: MEMORYSTR
Source: Yara match File source: 14.2.xxl.exe.4ef94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2df4431.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.31b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2dfe040.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2df4431.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.719611917.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.719379551.0000000002DE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 0000000E.00000003.424404208.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424565184.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424527278.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424606471.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.641720326.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.719654681.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424635510.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424671008.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424712096.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424336717.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xxl.exe PID: 6504, type: MEMORYSTR
Source: Yara match File source: 14.2.xxl.exe.4ef94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2df4431.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.31b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2dfe040.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2df4431.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.719611917.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.719379551.0000000002DE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 14_2_031B47E5

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000E.00000003.424404208.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 0000000E.00000003.424404208.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000E.00000003.424565184.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 0000000E.00000003.424565184.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000E.00000003.424527278.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 0000000E.00000003.424527278.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000E.00000003.424606471.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 0000000E.00000003.424606471.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000E.00000003.641720326.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 0000000E.00000003.641720326.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000E.00000002.719654681.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 0000000E.00000002.719654681.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000E.00000003.424635510.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 0000000E.00000003.424635510.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000E.00000003.424671008.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 0000000E.00000003.424671008.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000E.00000003.424712096.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 0000000E.00000003.424712096.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000000E.00000003.424336717.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 0000000E.00000003.424336717.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: xxl.exe PID: 6504, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: xxl.exe PID: 6504, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
HTML document with suspicious title
Source: file:///C:/Users/user/Desktop/Invoice_7892_18Oct.html Tab title: Invoice_7892_18Oct.html
Writes or reads registry keys via WMI
Source: C:\Users\user\AppData\Local\Temp\xxl.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Local\Temp\xxl.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\xxl.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\xxl.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
HTML document with suspicious name
Source: Name includes: Invoice_7892_18Oct.html Initial sample: invoice
Writes registry values via WMI
Source: C:\Users\user\AppData\Local\Temp\xxl.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\xxl.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\xxl.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 7zip to decompress a password protected archive
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -p758493 -y -o"C:\Users\user\AppData\Local\Temp\krjmempf.vdz" "C:\Users\user\Downloads\8fa2db5f-d558-4ee3-8a83-68f3e15e482f.zip
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -p758493 -y -o"C:\Users\user\AppData\Local\Temp\krjmempf.vdz" "C:\Users\user\Downloads\8fa2db5f-d558-4ee3-8a83-68f3e15e482f.zip Jump to behavior
Yara signature match
Source: Invoice_7892_18Oct.html, type: SAMPLE Matched rule: MAL_QBot_HTML_Smuggling_Indicators_Oct22_1 date = 2022-10-07, hash5 = ff4e21f788c36aabe6ba870cf3b10e258c2ba6f28a2d359a25d5a684c92a0cad, hash4 = 5072d91ee0d162c28452123a4d9986f3df6b3244e48bf87444ce88add29dd8ed, hash3 = c5d23d991ce3fbcf73b177bc6136d26a501ded318ccf409ca16f7c664727755a, hash2 = 8e61c2b751682becb4c0337f5a79b2da0f5f19c128b162ec8058104b894cae9b, author = Florian Roth, description = Detects double encoded PKZIP headers as seen in HTML files used by QBot, score = 4f384bcba31fda53e504d0a6c85cee0ce3ea9586226633d063f34c53ddeaca3f, reference = https://twitter.com/ankit_anubhav/status/1578257383133876225?s=20&t=Bu3CCJCzImpTGOQX_KGsdA
Source: 0000000E.00000003.424404208.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 0000000E.00000003.424404208.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000E.00000003.424565184.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 0000000E.00000003.424565184.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000E.00000003.424527278.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 0000000E.00000003.424527278.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000E.00000003.424606471.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 0000000E.00000003.424606471.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000E.00000003.641720326.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 0000000E.00000003.641720326.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000E.00000002.719654681.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 0000000E.00000002.719654681.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000E.00000003.424635510.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 0000000E.00000003.424635510.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000E.00000003.424671008.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 0000000E.00000003.424671008.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000E.00000003.424712096.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 0000000E.00000003.424712096.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000000E.00000003.424336717.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 0000000E.00000003.424336717.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: xxl.exe PID: 6504, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: xxl.exe PID: 6504, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB4C9B 14_2_00CB4C9B
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B2792 14_2_031B2792
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B2DCC 14_2_031B2DCC
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B82FC 14_2_031B82FC
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_10002284 14_2_10002284
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB58CA PathIsRelativeW,RtlSetSearchPathMode,SearchPathW,GetFileAttributesW,CreateActCtxW,CreateActCtxWWorker,CreateActCtxWWorker,CreateActCtxWWorker,GetModuleHandleW,CreateActCtxWWorker,ActivateActCtx,SetWindowLongW,GetWindowLongW,GetWindow,memset,GetClassNameW,CompareStringW,GetWindow,GetWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 14_2_00CB58CA
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB5C96 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError, 14_2_00CB5C96
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB3F9E HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess, 14_2_00CB3F9E
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB3F00 NtQuerySystemInformation, 14_2_00CB3F00
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB5D14 NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose, 14_2_00CB5D14
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 14_2_031B737C
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B8521 NtQueryVirtualMemory, 14_2_031B8521
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_10001000 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 14_2_10001000
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_10001D37 NtMapViewOfSection, 14_2_10001D37
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_10001BA8 GetProcAddress,NtCreateSection,memset, 14_2_10001BA8
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_100024A5 NtQueryVirtualMemory, 14_2_100024A5
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\xxl.exe 4E15AA13A02798E924C63537E458A09415C48DAE0E7AFD5A3D25532A2AA935EE
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1828,i,17767483613737774087,6421309370746719837,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Invoice_7892_18Oct.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\8fa2db5f-d558-4ee3-8a83-68f3e15e482f.zip
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -p758493 -y -o"C:\Users\user\AppData\Local\Temp\krjmempf.vdz" "C:\Users\user\Downloads\8fa2db5f-d558-4ee3-8a83-68f3e15e482f.zip
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\krjmempf.vdz\5353.iso
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\krjmempf.vdz\5353.iso"
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c internee\highlighted.cmd dll32.exe tem dows
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\xxl.exe C:\Users\user\AppData\Local\Temp\xxl.exe internee\reservations.3ds,DllRegisterServer
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1828,i,17767483613737774087,6421309370746719837,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\8fa2db5f-d558-4ee3-8a83-68f3e15e482f.zip Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -p758493 -y -o"C:\Users\user\AppData\Local\Temp\krjmempf.vdz" "C:\Users\user\Downloads\8fa2db5f-d558-4ee3-8a83-68f3e15e482f.zip Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\krjmempf.vdz\5353.iso Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c internee\highlighted.cmd dll32.exe tem dows Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\krjmempf.vdz\5353.iso" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\xxl.exe C:\Users\user\AppData\Local\Temp\xxl.exe internee\reservations.3ds,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\4b10409d-3549-47cf-a702-af843c5f693a.tmp Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File created: C:\Users\user\AppData\Local\Temp\unarchiver.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winHTML@46/10@6/8
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB3E1D CoInitializeEx,CLSIDFromString,CoCreateInstance,CoUninitialize, 14_2_00CB3E1D
Source: C:\Windows\SysWOW64\unarchiver.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB3A94 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy, 14_2_00CB3A94
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B7256 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 14_2_031B7256
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\GoogleUpdater Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Command line argument: WLDP.DLL 14_2_00CB3F9E
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Command line argument: localserver 14_2_00CB3F9E
Source: C:\Users\user\AppData\Local\Temp\xxl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xxl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\GoogleUpdater Jump to behavior
Source: Binary string: rundll32.pdb source: xxl.exe, xxl.exe, 0000000E.00000000.368749240.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, xxl.exe.12.dr
Source: Binary string: rundll32.pdbGCTL source: xxl.exe, 0000000E.00000000.368749240.0000000000CB1000.00000020.00000001.01000000.00000005.sdmp, xxl.exe.12.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB68E0 push ecx; ret 14_2_00CB68F3
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB6C9F pushad ; retf 14_2_00CB6CA2
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB6989 push ecx; ret 14_2_00CB699C
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B7F00 push ecx; ret 14_2_031B7F09
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031BB859 push 0000006Fh; retf 14_2_031BB85C
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B82EB push ecx; ret 14_2_031B82FB
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_10002220 push ecx; ret 14_2_10002229
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_10002273 push ecx; ret 14_2_10002283
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_03140E56 push dword ptr [ebp+ebx*4+03h]; ret 14_2_03140E5A
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_03141C94 push 23000002h; ret 14_2_03141C9B
PE file contains sections with non-standard names
Source: xxl.exe.12.dr Static PE information: section name: .didat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_100015BD LoadLibraryA,GetProcAddress, 14_2_100015BD
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\xxl.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 0000000E.00000003.424404208.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424565184.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424527278.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424606471.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.641720326.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.719654681.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424635510.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424671008.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424712096.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424336717.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xxl.exe PID: 6504, type: MEMORYSTR
Source: Yara match File source: 14.2.xxl.exe.4ef94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2df4431.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.31b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2dfe040.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2df4431.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.719611917.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.719379551.0000000002DE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Stalling execution: Execution stalls by calling Sleep
Found evasive API chain (may stop execution after checking system information)
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6900 Thread sleep count: 334 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6900 Thread sleep time: -167000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6740 Thread sleep count: 9229 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7148 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\unarchiver.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\unarchiver.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9229 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psm1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.cdxml Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.xaml Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\Hyper-V.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 3_2_00EAB29A GetSystemInfo, 3_2_00EAB29A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xxl.exe API call chain: ExitProcess graph end node
Source: ModuleAnalysisCache.8.dr Binary or memory string: Add-VMNetworkAdapter
Source: ModuleAnalysisCache.8.dr Binary or memory string: Remove-VMNetworkAdapterExtendedAcl
Source: ModuleAnalysisCache.8.dr Binary or memory string: Set-VMNetworkAdapterTeamMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: Connect-VMNetworkAdapter
Source: ModuleAnalysisCache.8.dr Binary or memory string: Add-VMNetworkAdapterExtendedAcl
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-VMNetworkAdapterTeamMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-VMNetworkAdapterIsolation
Source: ModuleAnalysisCache.8.dr Binary or memory string: Test-VMNetworkAdapter
Source: ModuleAnalysisCache.8.dr Binary or memory string: )Get-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.8.dr Binary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: ModuleAnalysisCache.8.dr Binary or memory string: Set-VMNetworkAdapterRdma
Source: ModuleAnalysisCache.8.dr Binary or memory string: (Set-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: Remove-VMNetworkAdapterTeamMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-VMNetworkAdapterAcl
Source: ModuleAnalysisCache.8.dr Binary or memory string: )Set-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.8.dr Binary or memory string: Rename-VMNetworkAdapter
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-VMNetworkAdapterVlan
Source: ModuleAnalysisCache.8.dr Binary or memory string: Set-VMNetworkAdapterIsolation
Source: ModuleAnalysisCache.8.dr Binary or memory string: (Add-VmNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: "Remove-VMNetworkAdapterTeamMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: Remove-VMNetworkAdapterAcl
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-VMNetworkAdapter
Source: ModuleAnalysisCache.8.dr Binary or memory string: Add-VMScsiController
Source: ModuleAnalysisCache.8.dr Binary or memory string: Set-VmNetworkAdapterIsolation
Source: ModuleAnalysisCache.8.dr Binary or memory string: Set-VmNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-VMScsiController
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-VMNetworkAdapterRdma
Source: ModuleAnalysisCache.8.dr Binary or memory string: Set-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.8.dr Binary or memory string: Set-VMNetworkAdapterVlan
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-VmNetworkAdapterIsolation
Source: ModuleAnalysisCache.8.dr Binary or memory string: Disconnect-VMNetworkAdapter
Source: ModuleAnalysisCache.8.dr Binary or memory string: Set-VMNetworkAdapter
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: "Remove-VMNetworkAdapterExtendedAcl
Source: ModuleAnalysisCache.8.dr Binary or memory string: KC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: ModuleAnalysisCache.8.dr Binary or memory string: +Remove-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: (Add-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: Add-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: (Get-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
Source: ModuleAnalysisCache.8.dr Binary or memory string: Add-VMNetworkAdapterAcl
Source: ModuleAnalysisCache.8.dr Binary or memory string: Set-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.8.dr Binary or memory string: Add-VmNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: Remove-VMScsiController
Source: ModuleAnalysisCache.8.dr Binary or memory string: OC:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1
Source: ModuleAnalysisCache.8.dr Binary or memory string: Add-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-VMNetworkAdapterFailoverConfiguration
Source: ModuleAnalysisCache.8.dr Binary or memory string: Remove-VMNetworkAdapter
Source: ModuleAnalysisCache.8.dr Binary or memory string: (Set-VmNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: Remove-VMNetworkAdapterRoutingDomainMapping
Source: ModuleAnalysisCache.8.dr Binary or memory string: Get-VMNetworkAdapterExtendedAcl

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB2512 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 14_2_00CB2512
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_100015BD LoadLibraryA,GetProcAddress, 14_2_100015BD
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB48F3 GetProcessHeap,HeapAlloc,memset,GetProcessHeap,HeapFree, 14_2_00CB48F3
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB3D9F mov esi, dword ptr fs:[00000030h] 14_2_00CB3D9F
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_03143C9D mov eax, dword ptr fs:[00000030h] 14_2_03143C9D
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB5DFB LdrResolveDelayLoadedAPI, 14_2_00CB5DFB
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB6580 SetUnhandledExceptionFilter, 14_2_00CB6580
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB6232 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_00CB6232
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -p758493 -y -o"C:\Users\user\AppData\Local\Temp\krjmempf.vdz" "C:\Users\user\Downloads\8fa2db5f-d558-4ee3-8a83-68f3e15e482f.zip Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /c powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\krjmempf.vdz\5353.iso Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c internee\highlighted.cmd dll32.exe tem dows Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ex bypass -command Mount-DiskImage -ImagePath "C:\Users\user\AppData\Local\Temp\krjmempf.vdz\5353.iso" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\xxl.exe C:\Users\user\AppData\Local\Temp\xxl.exe internee\reservations.3ds,DllRegisterServer Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00114~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0014~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00112~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: SetThreadPriority,NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 14_2_10001000
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B54EC cpuid 14_2_031B54EC
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_00CB6783 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 14_2_00CB6783
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B1F1D GetVersionExA,wsprintfA, 14_2_031B1F1D
Source: C:\Users\user\AppData\Local\Temp\xxl.exe Code function: 14_2_031B54EC RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 14_2_031B54EC

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 0000000E.00000003.424404208.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424565184.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424527278.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424606471.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.641720326.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.719654681.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424635510.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424671008.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424712096.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424336717.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xxl.exe PID: 6504, type: MEMORYSTR
Source: Yara match File source: 14.2.xxl.exe.4ef94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2df4431.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.31b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2dfe040.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2df4431.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.719611917.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.719379551.0000000002DE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 0000000E.00000003.424404208.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424565184.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424527278.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424606471.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.641720326.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.719654681.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424635510.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424671008.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424712096.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.424336717.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xxl.exe PID: 6504, type: MEMORYSTR
Source: Yara match File source: 14.2.xxl.exe.4ef94a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2df4431.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.31b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2dfe040.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.xxl.exe.2df4431.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.719611917.0000000004EF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.719379551.0000000002DE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725636 Sample: Invoice_7892_18Oct.html Startdate: 18/10/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Yara detected  Ursnif 2->58 60 2 other signatures 2->60 8 chrome.exe 18 8 2->8         started        11 chrome.exe 2->11         started        process3 dnsIp4 46 192.168.2.1 unknown unknown 8->46 48 239.255.255.250 unknown Reserved 8->48 13 unarchiver.exe 5 8->13         started        16 chrome.exe 8->16         started        process5 dnsIp6 70 Uses 7zip to decompress a password protected archive 13->70 19 cmd.exe 2 13->19         started        22 cmd.exe 1 13->22         started        24 7za.exe 2 13->24         started        40 www.google.com 142.250.203.100, 443, 49712, 49738 GOOGLEUS United States 16->40 42 accounts.google.com 142.250.203.109, 443, 49704, 49707 GOOGLEUS United States 16->42 44 3 other IPs or domains 16->44 signatures7 process8 file9 38 C:\Users\user\AppData\Local\Temp\xxl.exe, PE32 19->38 dropped 26 xxl.exe 6 19->26         started        30 conhost.exe 1 19->30         started        32 powershell.exe 36 22->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        process10 dnsIp11 50 onlinetwork.top 31.41.44.194, 49740, 49744, 80 ASRELINKRU Russian Federation 26->50 52 linetwork.top 62.173.145.183, 49741, 49746, 80 SPACENET-ASInternetServiceProviderRU Russian Federation 26->52 62 Found evasive API chain (may stop execution after checking system information) 26->62 64 Found stalling execution ending in API Sleep call 26->64 66 Found API chain indicative of debugger detection 26->66 68 2 other signatures 26->68 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
62.173.145.183
 linetwork.top Russian Federation
34300 SPACENET-ASInternetServiceProviderRU false
142.250.203.100
 www.google.com United States
15169 GOOGLEUS false
142.250.203.110
 clients.l.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
31.41.44.194
 onlinetwork.top Russian Federation
56577 ASRELINKRU true
142.250.203.109
 accounts.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
accounts.google.com 142.250.203.109 true
www.google.com 142.250.203.100 true
clients.l.google.com 142.250.203.110 true
linetwork.top 62.173.145.183 true
onlinetwork.top 31.41.44.194 true
clients2.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 false
    		high
    http://onlinetwork.top/drew/9HjvFMPL_/2BodLadHv2Ij_2BnGRof/O5HwRn2RgD6rqZ1SvG5/VMrxgkKm7ed8PnDV4333Df/zIgAPypmoxSLi/8BFA8aIq/BD3jcPWLpFftdB57Hvs_2Bt/pdv8XCmdY6/t4jYCo1nX0gAaeZmr/b90Tdg7fzlxH/cqhZiWRACEm/b39xMwhhk6CBY5/vAnGlr5gQfe7832Po6dgp/kFDd8JW_2BQt2yuf/g3y_2BsnEgcapzm/FqXLCXTc0ul_2Fu7dh/W1oq_2BeZ/dlpTOTrr2A44rzvoNR9t/Ed7vICgSqP/MZk6s.jlk true
    • Avira URL Cloud: safe
    		 unknown
    http://linetwork.top/drew/0J0YP9e_2BE7jjAw7XL/AjrHr6NCwO_2Fgj3xqU8HO/e5KwJWvAPxhz7/Er8_2FGw/w6mbMJPoDfQgM_2F5q_2BTA/2EWmrv1LcM/HkHdywibkWgZEZttV/CVVHNFdmhCzK/32gECX5_2BF/KHHudCe_2FBTtm/7PKDpa0dUHWbR_2B1kpX9/AWYTWzr3Mrqxmvg2/b3_2B3bUAXRAtbT/lS0IcV4DbS6jYYG_2F/Ohgp0G9Gj/CtOwH_2BiEVt378VRySb/pgZSH7eC_2Bee3HXiCJ/BjrtGyiuFj_2Fduvn85Qkm/9VcCSZNN/bQ6ATZ6.jlk false
    • Avira URL Cloud: safe
    		 unknown
    file:///C:/Users/user/Desktop/Invoice_7892_18Oct.html true
      		low
      http://onlinetwork.top/drew/UogjlH55j3MBdVW7Zgv8/7VAIAiwJ_2FicnQxfIo/vdYsidWojPlxWiOLycfrCH/0jMFVE77apOpr/yiV9EWj6/4LmIXy_2FzHYZsf_2BzbbER/6LftEOfnlg/Uzke2V7qIbQmNXXHb/tnLubrQ7fIkI/GL44ItzX_2B/5weW8TeiFRMx3R/0FalNtY_2FOlb5Arb_2Fa/ayhw4EzvdF98V_2F/QvfDYcXOi_2FxiR/FUnDGyMWNFOFvK99Tq/AboGOqHpH/FFIxlK22ZxSjYALa3Nyd/r2bY6gbX_2BKLnqSzWK/N5bQl56P/1.jlk true
      • Avira URL Cloud: safe
      		 unknown
      http://linetwork.top/drew/TVgVtfJMME1TQDqbWdYo/ezMinaihuLtBtHa0yLo/29N_2BdcUX8GiKCW_2FFcH/G2EEXMAEzocHs/1j0yJOR1/eGMTPdpRhncWUghvDrmpfdi/eKYCLFtVRB/CVYtk9exYzeSrEd9o/r1M5RtNeelrL/BOq3WhytwH0/LSHm7cB7uN0f_2/BOF5OriNbSGHY_2Bu3zcM/HQrJ_2FDizJQq2kU/CdUDwQJw3ybpG6w/prA2XAjnZImMTnv_2B/y35swvqbW/8ll_2FkkiqSxdgXsTIPh/ZgYm_2BBwbPVDYoRfa8/RjAv97g.jlk false
      • Avira URL Cloud: safe
      		 unknown
      https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard false
        		high