Windows Analysis Report
mail.txt .exe

Overview

General Information

Sample name: mail.txt .exe
Analysis ID: 1410988
MD5: edf4ff0bc5da6dabd5e7b78113d73bd8
SHA1: af49d2935b75627f6f748256f10c555d54040f2e
SHA256: e16d377c12b63acb694601b4bde36d61839054409e7fae1661fb051892d2ed36
Tags: exe
Infos:

Detection

MyDoom
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Yara detected MyDoom
Connects to many different private IPs (likely to spread or exploit)
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses an obfuscated file name to hide its real file extension (a lot of spaces)
Uses an obfuscated file name to hide its real file extension (double extension)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to search for IE or Outlook window (often done to steal information)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates processes with suspicious names
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: mail.txt .exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\services.exe Avira: detection malicious, Label: BDS/Backdoor.fszhy
Source: C:\Windows\java.exe Avira: detection malicious, Label: TR/Spy.Banker.Gen
Source: C:\Users\user\AppData\Local\Temp\tmp4F4F.tmp Avira: detection malicious, Label: TR/Spy.Banker.Gen
Source: C:\Windows\services.exe Avira: detection malicious, Label: BDS/Backdoor.fszhy
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\services.exe ReversingLabs: Detection: 100%
Source: C:\Windows\java.exe ReversingLabs: Detection: 73%
Source: C:\Windows\services.exe ReversingLabs: Detection: 100%
Multi AV Scanner detection for submitted file
Source: mail.txt .exe ReversingLabs: Detection: 73%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\services.exe Joe Sandbox ML: detected
Source: C:\Windows\java.exe Joe Sandbox ML: detected
Source: C:\Windows\services.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: mail.txt .exe Joe Sandbox ML: detected

Exploits
barindex
Connects to many different private IPs (likely to spread or exploit)
Source: global traffic TCP traffic: 192.168.2.18:1034 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.9:1034 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.13:1034 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.12:1034 Jump to behavior
Uses 32bit PE files
Source: mail.txt .exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Spreading
barindex
Yara detected MyDoom
Source: Yara match File source: 0.2.mail.txt .exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.java.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mail.txt .exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: java.exe PID: 3664, type: MEMORYSTR
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 0_2_005052AD
Source: C:\Windows\java.exe Code function: 3_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 3_2_005052AD
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior

Software Vulnerabilities
barindex
Exploit detected, runtime environment starts unknown processes
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_00506AB8 select,recv, 0_2_00506AB8
Source: mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: HLOToFrom%s %sSMTPServerSoftware\Microsoft\%s %s Manager\%ssInternetAccountmx.mail.smtp..logzincite"%s"servicesurlmon.dllURLDownloadToCacheFileAhttp://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.com/web/results?q=%s&kgs=0&kls=0&n=%dhttp://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=&num=%dhttp://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s%s+%s-contact+replymailtoU equals www.yahoo.com (Yahoo)
Source: mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s
Source: mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c
Source: mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
Source: Amcache.hve.10.dr String found in binary or memory: http://upx.sf.net
Source: mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.altavista.com/web/results?q=%s&kgs=0&kls=0
Source: mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected MyDoom
Source: Yara match File source: 0.2.mail.txt .exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.java.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mail.txt .exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: java.exe PID: 3664, type: MEMORYSTR

System Summary
barindex
PE file has a writeable .text section
Source: mail.txt .exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tmp4F4F.tmp.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\Desktop\mail.txt .exe File created: C:\Windows\services.exe Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File created: C:\Windows\java.exe Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File created: C:\Windows\java.exe Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File created: C:\Windows\java.exe\:Zone.Identifier:$DATA Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\mail.txt .exe File deleted: C:\Windows\java.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_00507730 0_2_00507730
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_005011C9 0_2_005011C9
Source: C:\Windows\java.exe Code function: 3_2_00507730 3_2_00507730
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\services.exe BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
Source: Joe Sandbox View Dropped File: C:\Windows\services.exe BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
One or more processes crash
Source: C:\Users\user\Desktop\mail.txt .exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 1264
Tries to load missing DLLs
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: rasadhlp.dll Jump to behavior
Uses 32bit PE files
Source: mail.txt .exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: mail.txt .exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tmp4F4F.tmp.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal100.spre.expl.evad.winEXE@8/13@0/9
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6968
Source: C:\Windows\java.exe Mutant created: \Sessions\1\BaseNamedObjects\849224root849224root8849224root849224root88
Source: C:\Users\user\Desktop\mail.txt .exe File created: C:\Users\user\AppData\Local\Temp\zincite.log Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mail.txt .exe ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\mail.txt .exe File read: C:\Users\user\Desktop\mail.txt .exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\mail.txt .exe C:\Users\user\Desktop\mail.txt .exe
Source: C:\Users\user\Desktop\mail.txt .exe Process created: C:\Windows\services.exe C:\Windows\services.exe
Source: unknown Process created: C:\Windows\java.exe "C:\Windows\java.exe"
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe
Source: unknown Process created: C:\Windows\services.exe "C:\Windows\services.exe"
Source: C:\Users\user\Desktop\mail.txt .exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 1264
Source: C:\Users\user\Desktop\mail.txt .exe Process created: C:\Windows\services.exe C:\Windows\services.exe Jump to behavior
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState, 0_2_00503620
PE file contains sections with non-standard names
Source: services.exe.0.dr Static PE information: section name: UPX2
Source: services.exe.3.dr Static PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_0050A42D push ds; ret 0_2_0050A42E
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_0050DEA6 push ds; ret 0_2_0050DEBE
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_0050A501 push ecx; retf 0_2_0050A53F
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_0050A50F push ecx; retf 0_2_0050A53F
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_00509BA2 push edx; retf 0_2_00509BAB
Source: C:\Windows\services.exe Code function: 1_2_00405A55 push es; iretd 1_2_00405A8E
Source: C:\Windows\java.exe Code function: 3_2_0050A42D push ds; ret 3_2_0050A42E
Source: C:\Windows\java.exe Code function: 3_2_0050DEA6 push ds; ret 3_2_0050DEBE
Source: C:\Windows\java.exe Code function: 3_2_0050A501 push ecx; retf 3_2_0050A53F
Source: C:\Windows\java.exe Code function: 3_2_0050A50F push ecx; retf 3_2_0050A53F
Source: C:\Windows\java.exe Code function: 3_2_00509BA2 push edx; retf 3_2_00509BAB
Source: mail.txt .exe Static PE information: section name: .text entropy: 6.805048281534057
Source: java.exe.0.dr Static PE information: section name: .text entropy: 6.805048281534057
Source: tmp4F4F.tmp.3.dr Static PE information: section name: .text entropy: 6.805048281534057
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\mail.txt .exe File created: C:\Windows\services.exe Jump to dropped file
Source: C:\Windows\java.exe File created: C:\Users\user\AppData\Local\Temp\services.exe Jump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\mail.txt .exe Executable created and started: C:\Windows\services.exe Jump to behavior
Source: unknown Executable created and started: C:\Windows\java.exe
Exploit detected, runtime environment dropped PE file
Source: C:\Windows\java.exe File created: tmp4F4F.tmp.3.dr Jump to dropped file
Creates processes with suspicious names
Source: C:\Users\user\Desktop\mail.txt .exe File created: \mail.txt .exe
Source: C:\Users\user\Desktop\mail.txt .exe File created: \mail.txt .exe
Source: C:\Users\user\Desktop\mail.txt .exe File created: \mail.txt .exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\mail.txt .exe File created: C:\Windows\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\mail.txt .exe File created: C:\Windows\services.exe Jump to dropped file
Source: C:\Windows\java.exe File created: C:\Users\user\AppData\Local\Temp\tmp4F4F.tmp Jump to dropped file
Source: C:\Windows\java.exe File created: C:\Users\user\AppData\Local\Temp\services.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\mail.txt .exe File created: C:\Windows\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\mail.txt .exe File created: C:\Windows\services.exe Jump to dropped file
Source: C:\Users\user\Desktop\mail.txt .exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM Jump to behavior
Source: C:\Windows\services.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services Jump to behavior
Source: C:\Windows\services.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (a lot of spaces)
Source: Detected 51 consecutive spaces in filename Static PE information: mail.txt .exe
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: txt.exe Static PE information: mail.txt .exe
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\mail.txt .exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\mail.txt .exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\services.exe Window / User API: threadDelayed 2878 Jump to behavior
Source: C:\Windows\java.exe Window / User API: threadDelayed 356 Jump to behavior
Source: C:\Windows\java.exe Window / User API: threadDelayed 8716 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Window / User API: threadDelayed 7251 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Window / User API: threadDelayed 2747 Jump to behavior
Source: C:\Windows\services.exe Window / User API: threadDelayed 9895 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\java.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\services.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Windows\java.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp4F4F.tmp Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092 Thread sleep time: -84000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092 Thread sleep count: 62 > 30 Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092 Thread sleep count: 297 > 30 Jump to behavior
Source: C:\Windows\services.exe TID: 7156 Thread sleep count: 2878 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 2468 Thread sleep count: 356 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 2468 Thread sleep time: -284800s >= -30000s Jump to behavior
Source: C:\Windows\java.exe TID: 4124 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 4124 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 4124 Thread sleep count: 251 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 2468 Thread sleep count: 8716 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 2468 Thread sleep time: -6972800s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460 Thread sleep count: 7251 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460 Thread sleep time: -1812750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460 Thread sleep count: 2747 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460 Thread sleep time: -686750s >= -30000s Jump to behavior
Source: C:\Windows\services.exe TID: 6048 Thread sleep count: 9895 > 30 Jump to behavior
Source: C:\Windows\services.exe TID: 6048 Thread sleep time: -2473750s >= -30000s Jump to behavior
Source: C:\Windows\services.exe TID: 6048 Thread sleep count: 103 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\mail.txt .exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h 0_2_00505717
Source: C:\Windows\java.exe Code function: 3_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h 3_2_00505717
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 0_2_005052AD
Source: C:\Windows\java.exe Code function: 3_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 3_2_005052AD
Source: C:\Users\user\Desktop\mail.txt .exe Thread delayed: delay time: 84000 Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: Amcache.hve.10.dr Binary or memory string: VMware
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: mail.txt .exe, 00000000.00000003.2426549427.0000000000821000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: mail.txt .exe, 00000000.00000002.2729293430.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.4466533402.000000000082E000.00000004.00000020.00020000.00000000.sdmp, services.exe, 00000004.00000002.4466269343.0000000000812000.00000004.00000020.00020000.00000000.sdmp, services.exe, 00000005.00000002.4466259388.0000000000800000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: services.exe, 00000001.00000002.4466417572.0000000000812000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: Amcache.hve.10.dr Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr Binary or memory string: \driver\vmci,\driver\pci
Source: mail.txt .exe, 00000000.00000003.2426549427.0000000000821000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: i VMware, Inc.
Source: Amcache.hve.10.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\mail.txt .exe API call chain: ExitProcess graph end node
Source: C:\Windows\services.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\mail.txt .exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState, 0_2_00503620
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_00504E00 GetProcessHeap,RtlAllocateHeap,CreateFileA,ReadFile,ReadFile,FindCloseChangeNotification,GetProcessHeap,RtlFreeHeap, 0_2_00504E00
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mail.txt .exe Process created: C:\Windows\services.exe C:\Windows\services.exe Jump to behavior
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe Jump to behavior
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA, 0_2_005032CB
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA, 0_2_005032CB
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.10.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr Binary or memory string: MsMpEng.exe
Contains functionality to search for IE or Outlook window (often done to steal information)
Source: C:\Users\user\Desktop\mail.txt .exe Code function: 0_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread, 0_2_0050311C
Source: C:\Windows\java.exe Code function: 3_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetModuleHandleA,GetProcAddress, 3_2_0050311C
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\services.exe Code function: 1_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle, 1_2_00401F0E
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1410988 Sample: mail.txt                   ... Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 38 Antivirus detection for dropped file 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 11 other signatures 2->44 6 java.exe 4 2->6         started        10 mail.txt                                                    .exe 1 5 2->10         started        12 services.exe 2->12         started        process3 file4 22 C:\Users\user\AppData\Local\...\tmp4F4F.tmp, PE32 6->22 dropped 24 C:\Users\user\AppData\Local\...\services.exe, PE32 6->24 dropped 26 C:\Users\user\AppData\Local\...\tmpF606.tmp, Zip 6->26 dropped 46 Antivirus detection for dropped file 6->46 48 Multi AV Scanner detection for dropped file 6->48 50 Machine Learning detection for dropped file 6->50 54 3 other signatures 6->54 14 services.exe 6->14         started        28 C:\Windows\services.exe, PE32 10->28 dropped 30 C:\Windows\java.exe, PE32 10->30 dropped 52 Drops executables to the windows directory (C:\Windows) and starts them 10->52 17 services.exe 1 1 10->17         started        20 WerFault.exe 19 16 10->20         started        signatures5 process6 dnsIp7 56 Machine Learning detection for dropped file 14->56 32 192.168.2.12 unknown unknown 17->32 34 192.168.2.13 unknown unknown 17->34 36 7 other IPs or domains 17->36 58 Antivirus detection for dropped file 17->58 60 Multi AV Scanner detection for dropped file 17->60 62 Connects to many different private IPs (likely to spread or exploit) 17->62 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.13
172.16.1.166
10.0.2.15
192.168.2.12
172.16.1.4
172.16.1.2
192.168.2.18
192.168.2.9
172.16.1.170