Source: 5U5ouw7ryf.exe |
ReversingLabs: Detection: 86% |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000CB764 CryptQueryObject,GetLastError,CryptMsgGetParam,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,lstrcmpA,CryptDecodeObject,GetLastError,CryptDecodeObject,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose, |
2_2_000CB764 |
Source: 5U5ouw7ryf.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 5U5ouw7ryf.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: ntdll.pdb source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: ntdll.pdbUGP source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000D73C8 lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError, |
2_2_000D73C8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E0C40 lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW, |
2_2_000E0C40 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E0E4C lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree, |
2_2_000E0E4C |
Source: global traffic |
TCP traffic: 192.168.2.9:49707 -> 141.11.93.195:1081 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 141.11.93.195 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000CBE18 socket,connect,setsockopt,send,recv,shutdown,closesocket,HeapFree, |
2_2_000CBE18 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E4998 GetWindowLongPtrA,SendNotifyMessageA,GetClipboardOwner,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,lstrlenA,HeapAlloc,lstrlenA,lstrlenA,HeapFree,GlobalUnlock,CloseClipboard,SendNotifyMessageA,SetWindowLongPtrA,DefWindowProcA, |
2_2_000E4998 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E4BD4 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard, |
2_2_000E4BD4 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E4998 GetWindowLongPtrA,SendNotifyMessageA,GetClipboardOwner,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,lstrlenA,HeapAlloc,lstrlenA,lstrlenA,HeapFree,GlobalUnlock,CloseClipboard,SendNotifyMessageA,SetWindowLongPtrA,DefWindowProcA, |
2_2_000E4998 |
Source: Yara match |
File source: 5U5ouw7ryf.exe, type: SAMPLE |
Source: Yara match |
File source: 2.2.svchost.exe.10cc50.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1a6000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1a6000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1e1000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1e1000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.147c50.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 5U5ouw7ryf.exe PID: 7260, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000DE68C CreateDesktopA,GetLastError,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,lstrcpyA,CloseDesktop, |
2_2_000DE68C |
Source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Zloader hidden VNC Author: @VK_Intel |
Source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Zloader hidden VNC Author: @VK_Intel |
Source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Zloader hidden VNC Author: @VK_Intel |
Source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Zloader hidden VNC Author: @VK_Intel |
Source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Zloader hidden VNC Author: @VK_Intel |
Source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Zloader hidden VNC Author: @VK_Intel |
Source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Zloader hidden VNC Author: @VK_Intel |
Source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects Zloader hidden VNC Author: @VK_Intel |
Source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects Zloader hidden VNC Author: @VK_Intel |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A321E NtWow64QueryInformationProcess64,GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64, |
0_2_001A321E |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A2612 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose, |
0_2_001A2612 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A2849 NtMapViewOfSection,RtlNtStatusToDosError, |
0_2_001A2849 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A3268 NtWow64ReadVirtualMemory64,GetModuleHandleW,GetProcAddress,NtWow64ReadVirtualMemory64, |
0_2_001A3268 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A2883 NtUnmapViewOfSection,RtlNtStatusToDosError, |
0_2_001A2883 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A35A8 GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,LocalFree,LocalFree, |
0_2_001A35A8 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A2F6C memset,VirtualAllocEx,NtGetContextThread,memcpy,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError, |
0_2_001A2F6C |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A126D NtQueryVirtualMemory, |
0_2_001A126D |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A2BC1 memset,ZwQueryInformationProcess,ReadProcessMemory, |
0_2_001A2BC1 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C5048 ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,StrRChrA, |
2_2_000C5048 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C4868 ZwQueryInformationProcess,ReadProcessMemory, |
2_2_000C4868 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E39CC GetSystemTimes,NtQuerySystemInformation, |
2_2_000E39CC |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E1294 GetProcessId,lstrlenW,HeapAlloc,HeapFree,HeapAlloc,NtQuerySystemInformation,GetCurrentProcess,DuplicateHandle,NtQueryObject,HeapFree,HeapAlloc,HeapFree,HeapAlloc,NtQueryObject,RtlInitUnicodeString,RtlEqualUnicodeString,NtQueryInformationFile,NtQueryInformationFile,HeapAlloc,CloseHandle,HeapFree,HeapFree,HeapFree, |
2_2_000E1294 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C52A4 NtResumeProcess,RtlNtStatusToDosError, |
2_2_000C52A4 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C52BC NtSuspendProcess,RtlNtStatusToDosError, |
2_2_000C52BC |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000ED324 ZwQueryKey,ZwQueryKey, |
2_2_000ED324 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C3448 NtCreateSection,RtlNtStatusToDosError,ZwClose, |
2_2_000C3448 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C4CE0 VirtualAllocEx,NtGetContextThread,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError, |
2_2_000C4CE0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E3D74 InitializeCriticalSection,GetModuleHandleW,GetProcAddress,GetSystemTimes,NtQuerySystemInformation,HeapAlloc,GetTickCount, |
2_2_000E3D74 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C4644 ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory, |
2_2_000C4644 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C36AC NtMapViewOfSection,RtlNtStatusToDosError, |
2_2_000C36AC |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C36FC NtUnmapViewOfSection,RtlNtStatusToDosError, |
2_2_000C36FC |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000DBF94 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,GetLastError,CloseHandle,GetKeyState,ExitWindowsEx, |
2_2_000DBF94 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A104C |
0_2_001A104C |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001CA022 |
0_2_001CA022 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001AE86C |
0_2_001AE86C |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001AF178 |
0_2_001AF178 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001CB9DC |
0_2_001CB9DC |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001AF9E2 |
0_2_001AF9E2 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001C9AB0 |
0_2_001C9AB0 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001C8C3A |
0_2_001C8C3A |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001AED60 |
0_2_001AED60 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001CA594 |
0_2_001CA594 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001AF5AD |
0_2_001AF5AD |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001AE710 |
0_2_001AE710 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001CC72C |
0_2_001CC72C |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001CD7A5 |
0_2_001CD7A5 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000D970C |
2_2_000D970C |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C8804 |
2_2_000C8804 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000DA82C |
2_2_000DA82C |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E187C |
2_2_000E187C |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000CC114 |
2_2_000CC114 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000EC110 |
2_2_000EC110 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000DF968 |
2_2_000DF968 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E0974 |
2_2_000E0974 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E7200 |
2_2_000E7200 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000EAA60 |
2_2_000EAA60 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000DC288 |
2_2_000DC288 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E1294 |
2_2_000E1294 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000EB368 |
2_2_000EB368 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C3C70 |
2_2_000C3C70 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000ED4CC |
2_2_000ED4CC |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C94F8 |
2_2_000C94F8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000D751C |
2_2_000D751C |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000DED60 |
2_2_000DED60 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000D9DA8 |
2_2_000D9DA8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E3E60 |
2_2_000E3E60 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000EB718 |
2_2_000EB718 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000EC748 |
2_2_000EC748 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000EDF84 |
2_2_000EDF84 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000C8FA0 |
2_2_000C8FA0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E8FB0 |
2_2_000E8FB0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000D77FC |
2_2_000D77FC |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_0012F88A |
2_2_0012F88A |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_001159B0 |
2_2_001159B0 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_001311E4 |
2_2_001311E4 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_00115360 |
2_2_00115360 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_001343F5 |
2_2_001343F5 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_001154BB |
2_2_001154BB |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_001154BC |
2_2_001154BC |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_00115DC8 |
2_2_00115DC8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_0013262C |
2_2_0013262C |
Source: 5U5ouw7ryf.exe, 00000000.00000003.1392327141.00000000033D6000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs 5U5ouw7ryf.exe |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: 5U5ouw7ryf.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE |
Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352 |
Source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352 |
Source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE |
Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352 |
Source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352 |
Source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352 |
Source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE |
Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352 |
Source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352 |
Source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352 |
Source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352 |
Source: classification engine |
Classification label: mal96.troj.evad.winEXE@3/0@0/1 |
Source: C:\Windows\System32\svchost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\{41435A30-AC43-1BEB-BE05-A07FD209D423} |
Source: 5U5ouw7ryf.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: 5U5ouw7ryf.exe |
ReversingLabs: Detection: 86% |
Source: unknown |
Process created: C:\Users\user\Desktop\5U5ouw7ryf.exe "C:\Users\user\Desktop\5U5ouw7ryf.exe" |
|
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k |
|
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k |
Jump to behavior |
Source: 5U5ouw7ryf.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: ntdll.pdb source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp |
Source: |
Binary string: ntdll.pdbUGP source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000D9004 EnterCriticalSection,LeaveCriticalSection,GetModuleHandleW,LoadLibraryW,GetProcAddress,FreeLibrary, |
2_2_000D9004 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A103B push ecx; ret |
0_2_001A104B |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001C7BF5 push ecx; ret |
0_2_001C7C08 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001AE6FB push ecx; ret |
0_2_001AE70B |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_0012E845 push ecx; ret |
2_2_0012E858 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_0011534B push ecx; ret |
2_2_0011535B |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E30CC IsIconic, |
2_2_000E30CC |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E2308 IsIconic,GetLastActivePopup, |
2_2_000E2308 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E4BD4 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard, |
2_2_000E4BD4 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000DDC68 IsIconic,GetWindow,GetWindow, |
2_2_000DDC68 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000DC5CC GetWindowLongPtrA,IsIconic, |
2_2_000DC5CC |
Source: C:\Windows\System32\svchost.exe |
Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) |
Source: C:\Windows\System32\svchost.exe |
API coverage: 2.1 % |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000D73C8 lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError, |
2_2_000D73C8 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E0C40 lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW, |
2_2_000E0C40 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E0E4C lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree, |
2_2_000E0E4C |
Source: svchost.exe, 00000002.00000002.2631935382.000001E8CD220000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E5448 __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException, |
2_2_000E5448 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E8618 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
2_2_000E8618 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000D9004 EnterCriticalSection,LeaveCriticalSection,GetModuleHandleW,LoadLibraryW,GetProcAddress,FreeLibrary, |
2_2_000D9004 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E6EB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_000E6EB4 |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Memory allocated: C:\Windows\System32\svchost.exe base: 190000 protect: page execute and read and write |
Jump to behavior |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Memory written: C:\Windows\System32\svchost.exe base: 7FF77AFE5080 |
Jump to behavior |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Memory written: C:\Windows\System32\svchost.exe base: 190000 |
Jump to behavior |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Memory written: C:\Windows\System32\svchost.exe base: 7FF77AFE5080 |
Jump to behavior |
Source: 5U5ouw7ryf.exe |
Binary or memory string: Program Manager |
Source: 5U5ouw7ryf.exe |
Binary or memory string: GetProgmanWindow |
Source: 5U5ouw7ryf.exe |
Binary or memory string: Shell_TrayWnd |
Source: 5U5ouw7ryf.exe |
Binary or memory string: Progman |
Source: 5U5ouw7ryf.exe |
Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventole32.dllCoCreateInstanceCoCreateInstanceExCoGetClassObjectCoRegisterClassObjectcombase.dlluser32.dllSetImmersiveBackgroundWindowAcquireIAMKeyEnableIAMAccessEnableIAMAccessWin80MsgWaitForMultipleObjectsExKernelBase.dllCloseHandleCreateEventWCreateEventACreateEventExWCreateEventExAOpenEventWOpenEventAwindows.immersiveshell.serviceprovider.dllDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgrversion.dllGetFileVersionInfoSizeWGetFileVersionInfoW1.3.6.1.4.1.311.2.1.12rY |
Source: 5U5ouw7ryf.exe |
Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventwindows.immersiveshell.serviceprovider.dllFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgr0 |
Source: 5U5ouw7ryf.exe |
Binary or memory string: SetProgmanWindow |
Source: C:\Windows\System32\svchost.exe |
Code function: GetWindowRect,GetWindowRect,GetWindowRect,RedrawWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetLocaleInfoW,CharUpperBuffW,RedrawWindow, |
2_2_000E4364 |
Source: C:\Windows\System32\svchost.exe |
Code function: 2_2_000E39CC GetSystemTimes,NtQuerySystemInformation, |
2_2_000E39CC |
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe |
Code function: 0_2_001A289B GetModuleHandleA,GetVersion,GetCurrentProcessId,StrRChrA,CreateEventA,GetLastError, |
0_2_001A289B |
Source: Yara match |
File source: 5U5ouw7ryf.exe, type: SAMPLE |
Source: Yara match |
File source: 2.2.svchost.exe.10cc50.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1a6000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1a6000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1e1000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1e1000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.147c50.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 5U5ouw7ryf.exe PID: 7260, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR |
Source: Yara match |
File source: 5U5ouw7ryf.exe, type: SAMPLE |
Source: Yara match |
File source: 2.2.svchost.exe.10cc50.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1a6000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1a6000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1e1000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1e1000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.147c50.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.0.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 5U5ouw7ryf.exe PID: 7260, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR |
Source: 5U5ouw7ryf.exe |
String found in binary or memory: RFB 003.008 |
Source: 5U5ouw7ryf.exe, 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: RFB 003.008 |
Source: 5U5ouw7ryf.exe, 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp |
String found in binary or memory: RFB 003.008 |
Source: svchost.exe |
String found in binary or memory: RFB 003.008 |
Source: svchost.exe |
String found in binary or memory: RFB 003.008 |
Source: svchost.exe, 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: RFB 003.008 |
Source: svchost.exe, 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp |
String found in binary or memory: RFB 003.008 |
Source: 5U5ouw7ryf.exe |
String found in binary or memory: RFB 003.008 |