Windows Analysis Report
.com.exe

Overview

General Information

Sample name: .com.exe
renamed because original name is a hash value
Original sample name: instruction.htm .com.exe
Analysis ID: 1410989
MD5: b1f6a4cc592f3c9f7d4b69c02ac74d11
SHA1: db2db17c1d3e2c4f3a45aad9215cc77ed455ffcc
SHA256: 3db846a796caa001666df8f7cae709fff02f984711b0e70e0e79c457d631b4e5
Tags: exe
Infos:

Detection

MyDoom
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MyDoom
Connects to many different private IPs (likely to spread or exploit)
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Opens the same file many times (likely Sandbox evasion)
PE file has a writeable .text section
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to search for IE or Outlook window (often done to steal information)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: .com.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\java.exe Avira: detection malicious, Label: TR/Spy.Banker.Gen
Source: C:\Users\user\AppData\Local\Temp\services.exe Avira: detection malicious, Label: BDS/Backdoor.fszhy
Source: C:\Users\user\AppData\Local\Temp\tmpF245.tmp Avira: detection malicious, Label: TR/Spy.Banker.Gen
Source: C:\Windows\services.exe Avira: detection malicious, Label: BDS/Backdoor.fszhy
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\services.exe ReversingLabs: Detection: 100%
Source: C:\Windows\java.exe ReversingLabs: Detection: 73%
Source: C:\Windows\services.exe ReversingLabs: Detection: 100%
Multi AV Scanner detection for submitted file
Source: .com.exe ReversingLabs: Detection: 73%
Machine Learning detection for dropped file
Source: C:\Windows\java.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\services.exe Joe Sandbox ML: detected
Source: C:\Windows\services.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: .com.exe Joe Sandbox ML: detected

Exploits
barindex
Connects to many different private IPs (likely to spread or exploit)
Source: global traffic TCP traffic: 192.168.2.18:1034 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.9:1034 Jump to behavior
Source: global traffic TCP traffic: 192.168.2.14:1034 Jump to behavior
Uses 32bit PE files
Source: .com.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Spreading
barindex
Yara detected MyDoom
Source: Yara match File source: 0.2. .com.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.java.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: .com.exe PID: 3416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: java.exe PID: 3384, type: MEMORYSTR
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 0_2_005052AD
Source: C:\Windows\java.exe Code function: 7_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 7_2_005052AD
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior

Software Vulnerabilities
barindex
Exploit detected, runtime environment starts unknown processes
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_00506AB8 select,recv, 0_2_00506AB8
Source: .com.exe, 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: HLOToFrom%s %sSMTPServerSoftware\Microsoft\%s %s Manager\%ssInternetAccountmx.mail.smtp..logzincite"%s"servicesurlmon.dllURLDownloadToCacheFileAhttp://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.com/web/results?q=%s&kgs=0&kls=0&n=%dhttp://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=&num=%dhttp://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s%s+%s-contact+replymailtoU equals www.yahoo.com (Yahoo)
Source: .com.exe, .com.exe, 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s
Source: .com.exe, 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c
Source: .com.exe, .com.exe, 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: .com.exe, .com.exe, 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.altavista.com/web/results?q=%s&kgs=0&kls=0
Source: .com.exe, .com.exe, 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://denmark.smartscre_
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://denmark.smartscre_curlrcom
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://europe.d
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://europe.dbgcreepp
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://southafrica.smartscreen.microsoft
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://southkoreregid.1991-06.com.microsoftza
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us
Source: .com.exe, 00000000.00000002.2204403538.000000000061E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us
Source: .com.exe, 00000000.00000002.2204403538.0000000000668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected MyDoom
Source: Yara match File source: 0.2. .com.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.java.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4568272926.0000000000501000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2204036339.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: .com.exe PID: 3416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: java.exe PID: 3384, type: MEMORYSTR

System Summary
barindex
PE file has a writeable .text section
Source: .com.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tmpF245.tmp.7.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\Desktop\ .com.exe File created: C:\Windows\services.exe Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe File created: C:\Windows\java.exe Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe File created: C:\Windows\java.exe Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe File created: C:\Windows\java.exe\:Zone.Identifier:$DATA Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\ .com.exe File deleted: C:\Windows\java.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_00507730 0_2_00507730
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_005011C9 0_2_005011C9
Source: C:\Windows\java.exe Code function: 7_2_00507730 7_2_00507730
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\services.exe BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
One or more processes crash
Source: C:\Users\user\Desktop\ .com.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1188
Tries to load missing DLLs
Source: C:\Users\user\Desktop\ .com.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: rasadhlp.dll Jump to behavior
Uses 32bit PE files
Source: .com.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: .com.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tmpF245.tmp.7.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal100.spre.expl.evad.winEXE@8/13@0/9
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3416
Source: C:\Windows\java.exe Mutant created: \Sessions\1\BaseNamedObjects\494126root494126root4494126root494126root44
Source: C:\Users\user\Desktop\ .com.exe File created: C:\Users\user\AppData\Local\Temp\zincite.log Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: .com.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\ .com.exe File read: C:\Users\user\Desktop\ .com.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ .com.exe C:\Users\user\Desktop\ .com.exe
Source: C:\Users\user\Desktop\ .com.exe Process created: C:\Windows\services.exe C:\Windows\services.exe
Source: C:\Users\user\Desktop\ .com.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1188
Source: unknown Process created: C:\Windows\java.exe "C:\Windows\java.exe"
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe
Source: unknown Process created: C:\Windows\services.exe "C:\Windows\services.exe"
Source: C:\Users\user\Desktop\ .com.exe Process created: C:\Windows\services.exe C:\Windows\services.exe Jump to behavior
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState, 0_2_00503620
PE file contains sections with non-standard names
Source: services.exe.0.dr Static PE information: section name: UPX2
Source: services.exe.7.dr Static PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_0050A42D push ds; ret 0_2_0050A42E
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_0050DEA6 push ds; ret 0_2_0050DEBE
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_0050A501 push ecx; retf 0_2_0050A53F
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_0050A50F push ecx; retf 0_2_0050A53F
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_00509BA2 push edx; retf 0_2_00509BAB
Source: C:\Windows\services.exe Code function: 1_2_00405A55 push es; iretd 1_2_00405A8E
Source: C:\Windows\java.exe Code function: 7_2_0050A42D push ds; ret 7_2_0050A42E
Source: C:\Windows\java.exe Code function: 7_2_0050DEA6 push ds; ret 7_2_0050DEBE
Source: C:\Windows\java.exe Code function: 7_2_0050A501 push ecx; retf 7_2_0050A53F
Source: C:\Windows\java.exe Code function: 7_2_0050A50F push ecx; retf 7_2_0050A53F
Source: C:\Windows\java.exe Code function: 7_2_00509BA2 push edx; retf 7_2_00509BAB
Source: .com.exe Static PE information: section name: .text entropy: 6.805048281534057
Source: java.exe.0.dr Static PE information: section name: .text entropy: 6.805048281534057
Source: tmpF245.tmp.7.dr Static PE information: section name: .text entropy: 6.805048281534057
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\ .com.exe File created: C:\Windows\services.exe Jump to dropped file
Source: C:\Windows\java.exe File created: C:\Users\user\AppData\Local\Temp\services.exe Jump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\ .com.exe Executable created and started: C:\Windows\services.exe Jump to behavior
Source: unknown Executable created and started: C:\Windows\java.exe
Exploit detected, runtime environment dropped PE file
Source: C:\Windows\java.exe File created: tmpF245.tmp.7.dr Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\ .com.exe File created: C:\Windows\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\ .com.exe File created: C:\Windows\services.exe Jump to dropped file
Source: C:\Windows\java.exe File created: C:\Users\user\AppData\Local\Temp\services.exe Jump to dropped file
Source: C:\Windows\java.exe File created: C:\Users\user\AppData\Local\Temp\tmpF245.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\ .com.exe File created: C:\Windows\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\ .com.exe File created: C:\Windows\services.exe Jump to dropped file
Source: C:\Users\user\Desktop\ .com.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM Jump to behavior
Source: C:\Windows\services.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services Jump to behavior
Source: C:\Windows\services.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\ .com.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\ .com.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Opens the same file many times (likely Sandbox evasion)
Source: C:\Users\user\AppData\Local\Temp\services.exe File opened: \Device\Afd\Endpoint count: 30496 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\services.exe Window / User API: threadDelayed 2844 Jump to behavior
Source: C:\Windows\java.exe Window / User API: threadDelayed 1778 Jump to behavior
Source: C:\Windows\java.exe Window / User API: threadDelayed 7290 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Window / User API: threadDelayed 7518 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Window / User API: threadDelayed 2480 Jump to behavior
Source: C:\Windows\services.exe Window / User API: threadDelayed 9950 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\java.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\services.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Windows\java.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpF245.tmp Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ .com.exe TID: 5536 Thread sleep time: -48000s >= -30000s Jump to behavior
Source: C:\Windows\services.exe TID: 6480 Thread sleep count: 2844 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 3328 Thread sleep count: 1778 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 3328 Thread sleep time: -1422400s >= -30000s Jump to behavior
Source: C:\Windows\java.exe TID: 2612 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 2612 Thread sleep count: 258 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 3328 Thread sleep count: 7290 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 3328 Thread sleep time: -5832000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 3524 Thread sleep count: 7518 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 3524 Thread sleep time: -1879500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 3524 Thread sleep count: 2480 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 3524 Thread sleep time: -620000s >= -30000s Jump to behavior
Source: C:\Windows\services.exe TID: 6768 Thread sleep count: 9950 > 30 Jump to behavior
Source: C:\Windows\services.exe TID: 6768 Thread sleep time: -2487500s >= -30000s Jump to behavior
Source: C:\Windows\services.exe TID: 6768 Thread sleep count: 48 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\ .com.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h 0_2_00505717
Source: C:\Windows\java.exe Code function: 7_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h 7_2_00505717
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 0_2_005052AD
Source: C:\Windows\java.exe Code function: 7_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 7_2_005052AD
Source: C:\Users\user\Desktop\ .com.exe Thread delayed: delay time: 48000 Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: services.exe, 00000001.00000002.4568799988.0000000000812000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.4570438309.000000000088E000.00000004.00000020.00020000.00000000.sdmp, services.exe, 00000009.00000002.4568741820.0000000000800000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: services.exe, 00000008.00000002.4568761248.0000000000812000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: .com.exe, 00000000.00000002.2204403538.000000000061E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\ .com.exe API call chain: ExitProcess graph end node
Source: C:\Windows\services.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ .com.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_00505A45 LdrInitializeThunk,lstrcpy,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcat,lstrcat,lstrcpy,lstrcpy, 0_2_00505A45
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState, 0_2_00503620
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_00504E00 GetProcessHeap,RtlAllocateHeap,CreateFileA,ReadFile,ReadFile,FindCloseChangeNotification,GetProcessHeap,HeapFree, 0_2_00504E00
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ .com.exe Process created: C:\Windows\services.exe C:\Windows\services.exe Jump to behavior
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe Jump to behavior
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA, 0_2_005032CB
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA, 0_2_005032CB
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe
Contains functionality to search for IE or Outlook window (often done to steal information)
Source: C:\Users\user\Desktop\ .com.exe Code function: 0_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread, 0_2_0050311C
Source: C:\Windows\java.exe Code function: 7_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetModuleHandleA,GetProcAddress, 7_2_0050311C
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\services.exe Code function: 1_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle, 1_2_00401F0E
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1410989 Sample: .com.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 38 Antivirus detection for dropped file 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 8 other signatures 2->44 6 java.exe 4 2->6         started        10    .com.exe 1 5 2->10         started        12 services.exe 2->12         started        process3 file4 22 C:\Users\user\AppData\Local\...\tmpF245.tmp, PE32 6->22 dropped 24 C:\Users\user\AppData\Local\...\services.exe, PE32 6->24 dropped 26 C:\Users\user\AppData\Local\...\tmp5339.tmp, Zip 6->26 dropped 46 Antivirus detection for dropped file 6->46 48 Multi AV Scanner detection for dropped file 6->48 50 Machine Learning detection for dropped file 6->50 54 3 other signatures 6->54 14 services.exe 6->14         started        28 C:\Windows\services.exe, PE32 10->28 dropped 30 C:\Windows\java.exe, PE32 10->30 dropped 52 Drops executables to the windows directory (C:\Windows) and starts them 10->52 17 services.exe 1 1 10->17         started        20 WerFault.exe 22 16 10->20         started        signatures5 process6 dnsIp7 56 Machine Learning detection for dropped file 14->56 58 Opens the same file many times (likely Sandbox evasion) 14->58 32 192.168.2.14 unknown unknown 17->32 34 192.168.2.18 unknown unknown 17->34 36 7 other IPs or domains 17->36 60 Antivirus detection for dropped file 17->60 62 Multi AV Scanner detection for dropped file 17->62 64 Connects to many different private IPs (likely to spread or exploit) 17->64 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
172.16.1.166
10.0.2.15
172.16.1.4
192.168.2.14
10.127.0.3
172.16.1.2
172.16.1.104
192.168.2.18
192.168.2.9