Public |
|---|
| IP | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|
| 31.12.67.62 | Belgium | 44099 | unknown | true | |
| 158.69.127.22 | Canada | 16276 | unknown | true | |
| 68.183.65.234 | United States | 14061 | unknown | false |
| Name | IP | Active |
|---|---|---|
| ceo.calcus.com | 68.183.65.234 | true |
| lastminutelollipop.com | 158.69.127.22 | true |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
|
unknown | |
| true |
|
unknown |
Legend:
| ID: |
|
| Product: |
|
| Start time: |
|
| Start date: | 29.05.2019 |
| Sample: |
|
| Cookbook: |
|
| System description: | Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113) |
| Architecture: |
|
| MD5: | 49fbc31d5e46d83c4741d64a1c268e8d |
| SHA1: | 62b00133e2a78063b76a473a9c0b42a00b3042b8 |
| SHA256: | 8c401ced381ce742105acae9b3d39d2f01681d4e3c77be9c899f5fa332aab5f5 |
| Filetype: | Microsoft Word document (32009/1) 52.89% |
| Name | Type | MD5 | SHA1 | SHA256 |
|---|---|---|---|---|
| PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows | 56F8EA5543A6C7FFA1731E614015673B |
E9EFC20C941F80991CC9B023FC1982E282EE55D8
|
7221A5AC575F1C4812BE871A2BA7CFAF793D95E510E330DA59FE5329DDA3FCB6
|
|
| Targa image data - Map - RLE 65536 x 65536 x 0 "\004" | 8009110C7FF8AF053406C7E570B3A20F |
F04CB43F7AA7426570EB25733D86667CEFED7ECD
|
221BDF477DA9F4E7CB54A57C57CBB45FA9AFEEA785943FA7F965674E6EE08819
|
|
| Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004" | 63E8885EC47799F13B279C5AEE576820 |
2FA9E4A6E7AC62FE59403E79F1DBF4A10B964CA9
|
D2B514E434CD0335B2FDB0BD128587A79A3AEF986EC2DA40E75F10AF60D1D738
|
|
| Targa image data - Map - RLE 65536 x 65536 x 0 "\004" | 6CB961EFDBA42C75DF3CA134D26482D7 |
21BE4FEDBF00B01F5027CD33E2DA994D705CB33C
|
A60C5ADB302573B79F7EA2B1233A8F552051DBDE3CE455FDF2C0B907ADFFD74A
|
|
| Targa image data - Map - RLE 65536 x 65536 x 0 "\004" | 656190E1EB52641D25425D47CF9BC0D3 |
774B114D8CFB1D078C1B0E350F4A31CE6C54A4C7
|
ABC59C4E9273EDD83C7B591FBA630D8BD691AE591F418735165DCB1C1DD0398D
|
|
| Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004" | 30D99032BC162D65F53A8203AC7A6473 |
B42BBBCB11BF8764B015BF95B7AEB5A3275CA6F1
|
AF12B6DA9CCA2ACD33359ABAA38AFE860B17A4CB12FAAEDD07FD0460A2FFFE50
|
|
| Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004" | 32F47A4236F79CB95E6DF52EE18E4F65 |
EE40C35ECDD6657E026BBC8A249A16098F8B78C7
|
D403B1ABD724D4817546CEA2D39F3AA9250F39B45C75385A9250A7D79757A0F2
|
|
| data | 5D4D94EE7E06BBB0AF9584119797B23A |
DBB111419C704F116EFA8E72471DD83E86E49677
|
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
|
|
| data | 1CC24061B042480E1BEFDCFC9D11B57C |
73AB807CC5DE1788A24EC9604D49A8FF53F0E719
|
A0682EBC657A233DA7EE5D370A76FE57BC12BE7F8A9F3F3A7DB03B7F2CAB8D7A
|
|
| XML 1.0 document, ASCII text, with CRLF line terminators | 6B7A472A22FBDBFF4B2B08DDB4F43735 |
C6DF700168D3F5A90FF2713B78F8EF1446927102
|
65F3CDBC4390C81B94FA960B7362917443FC1E6A51E3F81E4CB4C4DFA09DA4BE
|
|
| data | 4DD4FC4C73B6182BCDEA7856134E5FD4 |
C50BC537ED45AF8454AE3DA54F3FE3274DE381F1
|
C55222C980C91159C8158A94B3F5EADCE594EFAB38784ED97A233E672A3B49C1
|
|
| ASCII text, with CRLF line terminators | F7207358E8C5E04BB248222B8C042DDC |
4B51E26943D35F9BD236683D50C19E5C2B2DDA78
|
9063C774748DDE015851EEFC3E265CC9BA8CE39EA028FC8E991FFD92EF0F286D
|
|
| [TIFF image data, little-endian, direntries=1, copyright=Rrc4rsWQ0VDEIUGCpaZi], baseline, precision 8, 1410x622, frames 3 | 9F6A4E278108E34AB2E48EE86E7A42CC |
D8952A831C76710A00587A29E94AD075C1AA9007
|
119703877446C5021CA1EA324AE9910F33DF1BCB109AC1C346C57BE13D276E3A
|
|
| JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 625x276, frames 3 | D11BA7520707DD96074383996A1A532D |
12CACCA0251AAC40DC544EE25FD36C6B1F4D0744
|
BDE59F5323AA66724A91CB1DBB01913AB9767B2EBC578EF07459B6EBD61C85E0
|
|
| Microsoft OOXML | 2B26E4DD316F857EBB6E2B6B0E1E0282 |
581AE91D57A710CF31348CD5F5AB6FD1B081291E
|
40BB5B5897D76A8EEFB7136E658BDDAA65F094C9689B931A78A01601F9EE02CB
|
|
| MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Sep 24 13:01:36 2017, mtime=Sun Sep 24 13:01:36 2017, atime=Wed May 29 14:24:51 2019, length=141312, window=hide | FED5CFC70AA5FB2E209B75D54D8D44E9 |
F3740249F5160E63CF8241F302B9106BBE7CB147
|
87FBF2E83D5EB405CF2825711BB415C4331322884C60C353BE87FD3D10296E7D
|
|
| ASCII text, with CRLF line terminators | FC9856B1122F3A5756ACAE72E4A0554A |
F9B9C77E899740C9C319D7D41FA314174D9CF993
|
7CAE5E6106CE4B9D4A1AA74D7F9640737E0E901F4F57E6A2C7AB6365D60A58FE
|
|
| data | FF291ADF1F74826EE3AA31EA36ADEC1C |
9E647BCB57789C91D08C9B02D73ECD048239B5C5
|
08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36
|
|
| data | E5752D8040565FB58BD5169853557385 |
205DDBFACBB6E3BAB10AA8CB8A2C05C8B32899F9
|
DFD29A03BF58158A247CF0405ECDD5E09974302D6781E96D3C82E753C4DB9F4E
|
|
| data | FF291ADF1F74826EE3AA31EA36ADEC1C |
9E647BCB57789C91D08C9B02D73ECD048239B5C5
|
08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36
|
AV Detection: |
|
|---|
| Antivirus or Machine Learning detection for dropped file |
| Source: |
Joe Sandbox ML: |
||
| Antivirus or Machine Learning detection for sample |
| Source: |
Joe Sandbox ML: |
||
| Multi AV Scanner detection for domain / URL |
| Source: |
virustotal: |
Perma Link | ||
| Source: |
virustotal: |
Perma Link | ||
| Multi AV Scanner detection for dropped file |
| Source: |
virustotal: |
Perma Link | ||
| Multi AV Scanner detection for submitted file |
| Source: |
virustotal: |
Perma Link | ||
| Antivirus or Machine Learning detection for unpacked file |
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Avira: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
| Source: |
Joe Sandbox ML: |
||
Cryptography: |
|
|---|
| Uses Microsoft's Enhanced Cryptographic Provider |
| Source: |
Code function: |
5_2_00401D67 | |
| Source: |
Code function: |
5_2_00401E70 | |
| Source: |
Code function: |
5_2_00401DED | |
| Source: |
Code function: |
5_2_00401F8A | |
| Source: |
Code function: |
7_1_00401D67 | |
Spreading: |
|
|---|
| Enumerates the file system |
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
Software Vulnerabilities: |
|
|---|
| Potential document exploit detected (performs DNS queries) |
| Source: |
DNS query: |
||
| Potential document exploit detected (performs HTTP gets) |
| Source: |
TCP traffic: |
||
| Potential document exploit detected (unknown TCP traffic) |
| Source: |
TCP traffic: |
||
Networking: |
|
|---|
| Detected TCP or UDP traffic on non-standard ports |
| Source: |
TCP traffic: |
||
| Uses known network protocols on non-standard ports |
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Connects to IPs without corresponding DNS lookups |
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| Source: |
TCP traffic detected without corresponding DNS query: |
||
| HTTP GET or POST without a user agent |
| Source: |
HTTP traffic detected: |
||
| Internet Provider seen in connection with other malware |
| Source: |
ASN Name: |
||
| Source: |
ASN Name: |
||
| Uses a known web browser user agent for HTTP communication |
| Source: |
HTTP traffic detected: |
||
| Downloads files |
| Source: |
File created: |
Jump to behavior | ||
| Downloads files from webservers via HTTP |
| Source: |
HTTP traffic detected: |
||
| Performs DNS lookups |
| Source: |
DNS traffic detected: |
||
| Posts data to webserver |
| Source: |
HTTP traffic detected: |
||
| Urls found in memory or binary data |
| Source: |
String found in binary or memory: |
||
Spam, unwanted Advertisements and Ransom Demands: |
|
|---|
| Contains functionality to import cryptographic keys (often used in ransomware) |
| Source: |
Code function: |
5_2_00401D67 | |
System Summary: |
|
|---|
| Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) |
| Source: |
Screenshot OCR: |
||
| PE file has a writeable .text section |
| Source: |
Static PE information: |
||
| Powershell drops PE file |
| Source: |
File created: |
Jump to dropped file | ||
| Contains functionality to delete services |
| Source: |
Code function: |
5_2_0040C064 | |
| Contains functionality to launch a process as a different user |
| Source: |
Code function: |
5_2_00401BB5 | |
| Creates mutexes |
| Source: |
Mutant created: |
||
| Source: |
Mutant created: |
||
| Source: |
Mutant created: |
||
| Source: |
Mutant created: |
||
| Detected potential crypto function |
| Source: |
Code function: |
4_2_0040491B | |
| Source: |
Code function: |
4_2_00402CCE | |
| Source: |
Code function: |
4_2_004034DA | |
| Source: |
Code function: |
4_2_00403DF7 | |
| Source: |
Code function: |
5_2_0040491B | |
| Source: |
Code function: |
5_2_00402CCE | |
| Source: |
Code function: |
5_2_004034DA | |
| Source: |
Code function: |
5_2_00403DF7 | |
| Source: |
Code function: |
5_1_00402CCE | |
| Source: |
Code function: |
5_1_004034DA | |
| Source: |
Code function: |
5_1_0040491B | |
| Source: |
Code function: |
5_1_00403DF7 | |
| Source: |
Code function: |
5_1_00413389 | |
| Source: |
Code function: |
7_1_0040491B | |
| Source: |
Code function: |
7_1_00402CCE | |
| Source: |
Code function: |
7_1_004034DA | |
| Source: |
Code function: |
7_1_00403DF7 | |
| Source: |
Code function: |
7_1_00413389 | |
| Document contains an ObjectPool stream indicating possible embedded files or OLE objects |
| Source: |
OLE indicator, ObjectPool: |
||
| Document contains an embedded VBA macro which executes code when the document is opened / closed |
| Source: |
OLE, VBA macro line: |
|||
| Source: |
OLE, VBA macro: |
Name: autoopen | ||
| Document contains embedded VBA macros |
| Source: |
OLE indicator, VBA macros: |
||
| Found potential string decryption / allocating functions |
| Source: |
Code function: |
||
| Reads the hosts file |
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
File read: |
Jump to behavior | ||
| Classification label |
| Source: |
Classification label: |
||
| Contains functionality to create services |
| Source: |
Code function: |
5_2_0040C134 | |
| Source: |
Code function: |
5_1_0040C134 | |
| Contains functionality to enum processes or threads |
| Source: |
Code function: |
4_2_004020F4 | |
| Contains functionality to modify services (start/stop/modify) |
| Source: |
Code function: |
5_2_0040C134 | |
| Creates files inside the user directory |
| Source: |
File created: |
Jump to behavior | ||
| Creates temporary files |
| Source: |
File created: |
Jump to behavior | ||
| Document contains an OLE Word Document stream indicating a Microsoft Word file |
| Source: |
OLE indicator, Word Document stream: |
||
| Document contains summary information with irregular field values |
| Source: |
OLE document summary: |
||
| Found command line output |
| Source: |
Console Write: |
Jump to behavior | ||
| Source: |
Console Write: |
Jump to behavior | ||
| Source: |
Console Write: |
Jump to behavior | ||
| Source: |
Console Write: |
Jump to behavior | ||
| Source: |
Console Write: |
Jump to behavior | ||
| Source: |
Console Write: |
Jump to behavior | ||
| Source: |
Console Write: |
Jump to behavior | ||
| Source: |
Console Write: |
Jump to behavior | ||
| Source: |
Console Write: |
Jump to behavior | ||
| Parts of this applications are using the .NET runtime (Probably coded in C#) |
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Queries process information (via WMI, Win32_Process) |
| Source: |
WMI Queries: |
||
| Reads ini files |
| Source: |
File read: |
Jump to behavior | ||
| Reads software policies |
| Source: |
Key opened: |
Jump to behavior | ||
| Sample is known by Antivirus |
| Source: |
virustotal: |
||
| Sample requires command line parameters (based on API chain) |
| Source: |
Evasive API call chain: |
||
| Spawns processes |
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Uses an in-process (OLE) Automation server |
| Source: |
Key value queried: |
Jump to behavior | ||
| Found graphical window changes (likely an installer) |
| Source: |
Window detected: |
||
| Uses Microsoft Silverlight |
| Source: |
File opened: |
Jump to behavior | ||
| Checks if Microsoft Office is installed |
| Source: |
Key opened: |
Jump to behavior | ||
| Document has a 'comments' value indicative of goodware |
| Source: |
Initial sample: |
||
| Uses new MSVCR Dlls |
| Source: |
File opened: |
Jump to behavior | ||
| Document has a 'manager' value indicative of goodware |
| Source: |
Initial sample: |
||
| Document has a 'subject' value indicative of goodware |
| Source: |
Initial sample: |
||
Data Obfuscation: |
|
|---|
| Document contains an embedded VBA with many string operations indicating source code obfuscation |
| Source: |
OLE, VBA macro, High number of string operations: |
Name: dzpqM1P | ||
| Source: |
OLE, VBA macro, High number of string operations: |
Name: vawzMw | ||
| Contains functionality to dynamically determine API calls |
| Source: |
Code function: |
4_2_004016FD | |
| Uses code obfuscation techniques (call, push, ret) |
| Source: |
Code function: |
4_1_00406C93 | |
| Source: |
Code function: |
4_1_00406C93 | |
| Source: |
Code function: |
4_1_00407A3E | |
| Source: |
Code function: |
4_1_004032E3 | |
| Source: |
Code function: |
4_1_004048BA | |
| Source: |
Code function: |
4_1_00406C9B | |
| Source: |
Code function: |
4_1_00405299 | |
| Source: |
Code function: |
4_1_00406179 | |
| Source: |
Code function: |
4_1_00402F7C | |
| Source: |
Code function: |
4_1_0040750D | |
| Source: |
Code function: |
4_1_00406F2C | |
| Source: |
Code function: |
4_1_00405988 | |
| Source: |
Code function: |
5_1_0040F22F | |
| Source: |
Code function: |
5_1_0040E95D | |
| Source: |
Code function: |
7_1_0040E95D | |
| Source: |
Code function: |
7_1_0040F22F | |
Persistence and Installation Behavior: |
|
|---|
| Creates processes via WMI |
| Source: |
WMI Queries: |
||
| Drops executables to the windows directory (C:\Windows) and starts them |
| Source: |
Executable created and started: |
Jump to behavior | ||
| Drops PE files |
| Source: |
File created: |
Jump to dropped file | ||
| Drops PE files to the user directory |
| Source: |
File created: |
Jump to dropped file | ||
| Drops PE files to the windows directory (C:\Windows) |
| Source: |
PE file moved: |
Jump to behavior | ||
Boot Survival: |
|
|---|
| Drops PE files to the user root directory |
| Source: |
File created: |
Jump to dropped file | ||
| Contains functionality to start windows services |
| Source: |
Code function: |
5_2_0040C134 | |
Hooking and other Techniques for Hiding and Protection: |
|
|---|
| Hides that the sample has been downloaded from the Internet (zone.identifier) |
| Source: |
File opened: |
Jump to behavior | ||
| Uses known network protocols on non-standard ports |
| Source: |
Network traffic detected: |
||
| Source: |
Network traffic detected: |
||
| Disables application error messsages (SetErrorMode) |
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
Malware Analysis System Evasion: |
|
|---|
| Found evasive API chain (may stop execution after checking mutex) |
| Source: |
Evasive API call chain: |
||
| Source: |
Evasive API call chain: |
||
| Checks the free space of harddrives |
| Source: |
File Volume queried: |
Jump to behavior | ||
| Contains functionality to enumerate running services |
| Source: |
Code function: |
5_2_0040BE5A | |
| Contains long sleeps (>= 3 min) |
| Source: |
Thread delayed: |
Jump to behavior | ||
| Enumerates the file system |
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Found large amount of non-executed APIs |
| Source: |
API coverage: |
||
| May sleep (evasive loops) to hinder dynamic analysis |
| Source: |
Thread sleep time: |
Jump to behavior | ||
| Source: |
Thread sleep time: |
Jump to behavior | ||
| Source: |
Thread sleep time: |
Jump to behavior | ||
| Program exit points |
| Source: |
API call chain: |
||
| Source: |
API call chain: |
||
| Source: |
API call chain: |
||
| Source: |
API call chain: |
||
| Queries a list of all running processes |
| Source: |
Process information queried: |
Jump to behavior | ||
Anti Debugging: |
|
|---|
| Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) |
| Source: |
System information queried: |
Jump to behavior | ||
| Contains functionality to dynamically determine API calls |
| Source: |
Code function: |
4_2_004016FD | |
| Contains functionality to read the PEB |
| Source: |
Code function: |
4_2_00409CEB | |
| Source: |
Code function: |
4_2_00401285 | |
| Source: |
Code function: |
4_1_00409CEB | |
| Source: |
Code function: |
5_2_00409CEB | |
| Source: |
Code function: |
5_2_00401285 | |
| Source: |
Code function: |
5_1_00409CEB | |
| Source: |
Code function: |
7_1_00409CEB | |
| Source: |
Code function: |
7_1_00401285 | |
| Contains functionality which may be used to detect a debugger (GetProcessHeap) |
| Source: |
Code function: |
4_2_00401485 | |
| Enables debug privileges |
| Source: |
Process token adjusted: |
Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion: |
|
|---|
| Encrypted powershell cmdline option found |
| Source: |
Process created: |
||
| Very long cmdline option found, this is very uncommon (may be encrypted or packed) |
| Source: |
Process created: |
||
Language, Device and Operating System Detection: |
|
|---|
| Contains functionality to query CPU information (cpuid) |
| Source: |
Code function: |
4_2_0040CA38 | |
| Queries the volume information (name, serial number etc) of a device |
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Contains functionality to query windows version |
| Source: |
Code function: |
4_2_00409CEB | |
| Queries the cryptographic machine GUID |
| Source: |
Key value queried: |
Jump to behavior | ||