Windows Analysis Report
5U5ouw7ryf.exe

Overview

General Information

Sample name: 5U5ouw7ryf.exe
renamed because original name is a hash value
Original sample name: 41b5953e5d8016a817f4f793f7eb708c.exe
Analysis ID: 1416007
MD5: 41b5953e5d8016a817f4f793f7eb708c
SHA1: c8f1fc586c61c93b9cb2d9ab3401ac548e3d10e7
SHA256: 636f2b1624573965b7fc093117d8927ebffdbc0d852c241aede59fe81fece84f
Tags: 32exetrojan
Infos:

Detection

Ramnit
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Ramnit VNC Module
Allocates memory in foreign processes
Contains VNC / remote desktop functionality (version string found)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Ramnit According to Check Point, Ramnit is primarily a banking trojan, meaning that its purpose is to steal login credentials for online banking, which cybercriminals can sell or use in future attacks. For this reason, Ramnit primarily targets individuals rather than focusing on particular industries.Ramnit campaigns have been observed to target organizations in particular industries. For example, a 2019 campaign targeted financial organizations in the United Kingdom, Italy, and Canada. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 5U5ouw7ryf.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 5U5ouw7ryf.exe ReversingLabs: Detection: 86%
Machine Learning detection for sample
Source: 5U5ouw7ryf.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000CB764 CryptQueryObject,GetLastError,CryptMsgGetParam,CryptMsgGetParam,GetLastError,CertFindCertificateInStore,GetLastError,lstrcmpA,CryptDecodeObject,GetLastError,CryptDecodeObject,GetLastError,CertFreeCertificateContext,CertCloseStore,CryptMsgClose, 2_2_000CB764
Uses 32bit PE files
Source: 5U5ouw7ryf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 5U5ouw7ryf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: ntdll.pdb source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000D73C8 lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError, 2_2_000D73C8
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E0C40 lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW, 2_2_000E0C40
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E0E4C lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree, 2_2_000E0E4C
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49707 -> 141.11.93.195:1081
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: unknown TCP traffic detected without corresponding DNS query: 141.11.93.195
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000CBE18 socket,connect,setsockopt,send,recv,shutdown,closesocket,HeapFree, 2_2_000CBE18
Contains functionality for read data from the clipboard
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E4998 GetWindowLongPtrA,SendNotifyMessageA,GetClipboardOwner,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,lstrlenA,HeapAlloc,lstrlenA,lstrlenA,HeapFree,GlobalUnlock,CloseClipboard,SendNotifyMessageA,SetWindowLongPtrA,DefWindowProcA, 2_2_000E4998
Contains functionality to modify clipboard data
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E4BD4 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard, 2_2_000E4BD4
Contains functionality to read the clipboard data
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E4998 GetWindowLongPtrA,SendNotifyMessageA,GetClipboardOwner,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,lstrlenA,HeapAlloc,lstrlenA,lstrlenA,HeapFree,GlobalUnlock,CloseClipboard,SendNotifyMessageA,SetWindowLongPtrA,DefWindowProcA, 2_2_000E4998
Yara detected Keylogger Generic
Source: Yara match File source: 5U5ouw7ryf.exe, type: SAMPLE
Source: Yara match File source: 2.2.svchost.exe.10cc50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1a6000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1a6000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1e1000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1e1000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.147c50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5U5ouw7ryf.exe PID: 7260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000DE68C CreateDesktopA,GetLastError,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,lstrcpyA,CloseDesktop, 2_2_000DE68C

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Zloader hidden VNC Author: @VK_Intel
Contains functionality to call native functions
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A321E NtWow64QueryInformationProcess64,GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64, 0_2_001A321E
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A2612 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose, 0_2_001A2612
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A2849 NtMapViewOfSection,RtlNtStatusToDosError, 0_2_001A2849
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A3268 NtWow64ReadVirtualMemory64,GetModuleHandleW,GetProcAddress,NtWow64ReadVirtualMemory64, 0_2_001A3268
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A2883 NtUnmapViewOfSection,RtlNtStatusToDosError, 0_2_001A2883
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A35A8 GetModuleHandleW,GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,LocalFree,LocalFree, 0_2_001A35A8
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A2F6C memset,VirtualAllocEx,NtGetContextThread,memcpy,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError, 0_2_001A2F6C
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A126D NtQueryVirtualMemory, 0_2_001A126D
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A2BC1 memset,ZwQueryInformationProcess,ReadProcessMemory, 0_2_001A2BC1
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C5048 ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,StrRChrA, 2_2_000C5048
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C4868 ZwQueryInformationProcess,ReadProcessMemory, 2_2_000C4868
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E39CC GetSystemTimes,NtQuerySystemInformation, 2_2_000E39CC
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E1294 GetProcessId,lstrlenW,HeapAlloc,HeapFree,HeapAlloc,NtQuerySystemInformation,GetCurrentProcess,DuplicateHandle,NtQueryObject,HeapFree,HeapAlloc,HeapFree,HeapAlloc,NtQueryObject,RtlInitUnicodeString,RtlEqualUnicodeString,NtQueryInformationFile,NtQueryInformationFile,HeapAlloc,CloseHandle,HeapFree,HeapFree,HeapFree, 2_2_000E1294
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C52A4 NtResumeProcess,RtlNtStatusToDosError, 2_2_000C52A4
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C52BC NtSuspendProcess,RtlNtStatusToDosError, 2_2_000C52BC
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000ED324 ZwQueryKey,ZwQueryKey, 2_2_000ED324
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C3448 NtCreateSection,RtlNtStatusToDosError,ZwClose, 2_2_000C3448
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C4CE0 VirtualAllocEx,NtGetContextThread,WriteProcessMemory,NtSetContextThread,ResumeThread,Sleep,SuspendThread,GetLastError, 2_2_000C4CE0
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E3D74 InitializeCriticalSection,GetModuleHandleW,GetProcAddress,GetSystemTimes,NtQuerySystemInformation,HeapAlloc,GetTickCount, 2_2_000E3D74
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C4644 ZwQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory, 2_2_000C4644
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C36AC NtMapViewOfSection,RtlNtStatusToDosError, 2_2_000C36AC
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C36FC NtUnmapViewOfSection,RtlNtStatusToDosError, 2_2_000C36FC
Contains functionality to shutdown / reboot the system
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000DBF94 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,GetLastError,CloseHandle,GetKeyState,ExitWindowsEx, 2_2_000DBF94
Detected potential crypto function
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A104C 0_2_001A104C
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001CA022 0_2_001CA022
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001AE86C 0_2_001AE86C
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001AF178 0_2_001AF178
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001CB9DC 0_2_001CB9DC
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001AF9E2 0_2_001AF9E2
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001C9AB0 0_2_001C9AB0
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001C8C3A 0_2_001C8C3A
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001AED60 0_2_001AED60
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001CA594 0_2_001CA594
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001AF5AD 0_2_001AF5AD
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001AE710 0_2_001AE710
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001CC72C 0_2_001CC72C
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001CD7A5 0_2_001CD7A5
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000D970C 2_2_000D970C
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C8804 2_2_000C8804
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000DA82C 2_2_000DA82C
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E187C 2_2_000E187C
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000CC114 2_2_000CC114
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000EC110 2_2_000EC110
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000DF968 2_2_000DF968
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E0974 2_2_000E0974
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E7200 2_2_000E7200
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000EAA60 2_2_000EAA60
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000DC288 2_2_000DC288
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E1294 2_2_000E1294
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000EB368 2_2_000EB368
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C3C70 2_2_000C3C70
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000ED4CC 2_2_000ED4CC
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C94F8 2_2_000C94F8
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000D751C 2_2_000D751C
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000DED60 2_2_000DED60
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000D9DA8 2_2_000D9DA8
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E3E60 2_2_000E3E60
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000EB718 2_2_000EB718
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000EC748 2_2_000EC748
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000EDF84 2_2_000EDF84
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000C8FA0 2_2_000C8FA0
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E8FB0 2_2_000E8FB0
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000D77FC 2_2_000D77FC
Source: C:\Windows\System32\svchost.exe Code function: 2_2_0012F88A 2_2_0012F88A
Source: C:\Windows\System32\svchost.exe Code function: 2_2_001159B0 2_2_001159B0
Source: C:\Windows\System32\svchost.exe Code function: 2_2_001311E4 2_2_001311E4
Source: C:\Windows\System32\svchost.exe Code function: 2_2_00115360 2_2_00115360
Source: C:\Windows\System32\svchost.exe Code function: 2_2_001343F5 2_2_001343F5
Source: C:\Windows\System32\svchost.exe Code function: 2_2_001154BB 2_2_001154BB
Source: C:\Windows\System32\svchost.exe Code function: 2_2_001154BC 2_2_001154BC
Source: C:\Windows\System32\svchost.exe Code function: 2_2_00115DC8 2_2_00115DC8
Source: C:\Windows\System32\svchost.exe Code function: 2_2_0013262C 2_2_0013262C
Sample file is different than original file name gathered from version info
Source: 5U5ouw7ryf.exe, 00000000.00000003.1392327141.00000000033D6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 5U5ouw7ryf.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Uses 32bit PE files
Source: 5U5ouw7ryf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: crime_win32_hvnc_zloader1_hvnc_generic date = 2020-03-21, author = @VK_Intel, description = Detects Zloader hidden VNC, reference = https://twitter.com/malwrhunterteam/status/1240664014121828352
Source: classification engine Classification label: mal96.troj.evad.winEXE@3/0@0/1
Source: C:\Windows\System32\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\{41435A30-AC43-1BEB-BE05-A07FD209D423}
Source: 5U5ouw7ryf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 5U5ouw7ryf.exe ReversingLabs: Detection: 86%
Source: unknown Process created: C:\Users\user\Desktop\5U5ouw7ryf.exe "C:\Users\user\Desktop\5U5ouw7ryf.exe"
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k Jump to behavior
Source: 5U5ouw7ryf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: ntdll.pdb source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: 5U5ouw7ryf.exe, 00000000.00000003.1386169269.0000000003320000.00000004.00001000.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000D9004 EnterCriticalSection,LeaveCriticalSection,GetModuleHandleW,LoadLibraryW,GetProcAddress,FreeLibrary, 2_2_000D9004
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A103B push ecx; ret 0_2_001A104B
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001C7BF5 push ecx; ret 0_2_001C7C08
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001AE6FB push ecx; ret 0_2_001AE70B
Source: C:\Windows\System32\svchost.exe Code function: 2_2_0012E845 push ecx; ret 2_2_0012E858
Source: C:\Windows\System32\svchost.exe Code function: 2_2_0011534B push ecx; ret 2_2_0011535B
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E30CC IsIconic, 2_2_000E30CC
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E2308 IsIconic,GetLastActivePopup, 2_2_000E2308
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E4BD4 IsIconic,GetLastActivePopup,OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard, 2_2_000E4BD4
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000DDC68 IsIconic,GetWindow,GetWindow, 2_2_000DDC68
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000DC5CC GetWindowLongPtrA,IsIconic, 2_2_000DC5CC
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\System32\svchost.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Windows\System32\svchost.exe API coverage: 2.1 %
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000D73C8 lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,FindFirstFileW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,SetLastError,FindNextFileW,FindClose,SetLastError, 2_2_000D73C8
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E0C40 lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,DeleteFileW,FindNextFileW,FindClose,lstrcpyW,lstrcatW,lstrcatW,RemoveDirectoryW, 2_2_000E0C40
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E0E4C lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,lstrlenW,HeapAlloc,lstrcpyW,CreateDirectoryW,GetLastError,FindFirstFileW,GetLastError,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,HeapFree, 2_2_000E0E4C
Source: svchost.exe, 00000002.00000002.2631935382.000001E8CD220000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\svchost.exe Code function: 2_2_0010C001 LdrLoadDll, 2_2_0010C001
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E5448 __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException, 2_2_000E5448
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E8618 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 2_2_000E8618
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000D9004 EnterCriticalSection,LeaveCriticalSection,GetModuleHandleW,LoadLibraryW,GetProcAddress,FreeLibrary, 2_2_000D9004
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E6EB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_000E6EB4

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Memory allocated: C:\Windows\System32\svchost.exe base: 190000 protect: page execute and read and write Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Section loaded: NULL target: C:\Windows\System32\svchost.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Thread register set: target process: 7292 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF77AFE5080 Jump to behavior
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Memory written: C:\Windows\System32\svchost.exe base: 190000 Jump to behavior
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF77AFE5080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k Jump to behavior
Source: 5U5ouw7ryf.exe Binary or memory string: Program Manager
Source: 5U5ouw7ryf.exe Binary or memory string: GetProgmanWindow
Source: 5U5ouw7ryf.exe Binary or memory string: Shell_TrayWnd
Source: 5U5ouw7ryf.exe Binary or memory string: Progman
Source: 5U5ouw7ryf.exe Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventole32.dllCoCreateInstanceCoCreateInstanceExCoGetClassObjectCoRegisterClassObjectcombase.dlluser32.dllSetImmersiveBackgroundWindowAcquireIAMKeyEnableIAMAccessEnableIAMAccessWin80MsgWaitForMultipleObjectsExKernelBase.dllCloseHandleCreateEventWCreateEventACreateEventExWCreateEventExAOpenEventWOpenEventAwindows.immersiveshell.serviceprovider.dllDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgrversion.dllGetFileVersionInfoSizeWGetFileVersionInfoW1.3.6.1.4.1.311.2.1.12rY
Source: 5U5ouw7ryf.exe Binary or memory string: explorerframe.dllshell32.dllexplorer.exewindows.immersiveshell.serviceprovider.dlltwinui.dllwpncore.dllauthui.dllpnidui.dllhgcpl.dllBINotifiedNewSessionEventStartMenuCacheFileReorderShellReadyEventShellDesktopSwitchEventwindows.immersiveshell.serviceprovider.dllFlash6.ocxReleaseCaptureGetCaptureCreateDesktopACreateDesktopWCreateDesktopExACreateDesktopExWOpenDesktopAOpenDesktopWOpenInputDesktopSwitchDesktopSetThreadDesktopGetUserObjectInformationAGetUserObjectInformationWFlashWindowExFlashWindowGetCaretBlinkTimeTrackPopupMenuExSetShellWindowSetShellWindowExGetShellWindowSetTaskmanWindowGetTaskmanWindowSetProgmanWindowGetProgmanWindowSystemParametersInfoWSystemParametersInfoAgdi32.dllSetDIBitsToDeviceBitBltWinmm.dllPlaySoundAPlaySoundWsndPlaySoundAsndPlaySoundWBeepMessageBeepwaveOutOpendsound.dllDirectSoundCreateDirectSoundCaptureCreateDirectSoundFullDuplexCreate8DirectSoundFullDuplexCreateDirectSoundCreate8DirectSoundCaptureCreate8LoadLibraryWLoadLibraryExALoadLibraryExWGetProcAddressRegQueryValueExWRegGetValueWntdll.dllZwRaiseHardErrorNtRaiseHardErrorZwConnectPortNtConnectPortShell32.dllSHRestrictedSHGetSetSettingsUxTheme.dllSetThemeAppPropertiesDefWindowProcWDefWindowProcADefDlgProcWDefDlgProcADefFrameProcWDefFrameProcADefMDIChildProcWDefMDIChildProcACallWindowProcWCallWindowProcAGetMessageWGetMessageAPeekMessageWPeekMessageATranslateMessageGetCursorPosd3d10_1.dllSetCursorPosd3d10_1core.dlld3d10.dlld3d10core.dlld2d1.dllGetMessagePosOPENGL32.dlld3d9.dlld3d11.dllDxtrans.dllSetCaptureCreateDXGIFactory1D3D10CreateDevice1Direct3DCreate9Direct3DCreate9Ex\ThemeApiPortRtlSetUnhandledExceptionFilterMessageBoxTimeoutAuser32Program ManagerProgmanSHELLDLL_DefViewFolderViewSysListView32Shell_TrayWndNotifyIconOverflowWindow/0#32770MSTaskSwWClassTrayNotifyWndtaskmgr0
Source: 5U5ouw7ryf.exe Binary or memory string: SetProgmanWindow
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001C15C8 cpuid 0_2_001C15C8
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\svchost.exe Code function: GetWindowRect,GetWindowRect,GetWindowRect,RedrawWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetLocaleInfoW,CharUpperBuffW,RedrawWindow, 2_2_000E4364
Source: C:\Windows\System32\svchost.exe Code function: 2_2_000E39CC GetSystemTimes,NtQuerySystemInformation, 2_2_000E39CC
Source: C:\Users\user\Desktop\5U5ouw7ryf.exe Code function: 0_2_001A289B GetModuleHandleA,GetVersion,GetCurrentProcessId,StrRChrA,CreateEventA,GetLastError, 0_2_001A289B

Stealing of Sensitive Information
barindex
Yara detected Ramnit VNC Module
Source: Yara match File source: 5U5ouw7ryf.exe, type: SAMPLE
Source: Yara match File source: 2.2.svchost.exe.10cc50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1a6000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1a6000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1e1000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1e1000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.147c50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5U5ouw7ryf.exe PID: 7260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Ramnit VNC Module
Source: Yara match File source: 5U5ouw7ryf.exe, type: SAMPLE
Source: Yara match File source: 2.2.svchost.exe.10cc50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1a6000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1a6000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.147c50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1e1000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1e1000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1e1000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1e1000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.147c50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1a6000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.10cc50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1a6000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.5U5ouw7ryf.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 5U5ouw7ryf.exe PID: 7260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7292, type: MEMORYSTR
Contains VNC / remote desktop functionality (version string found)
Source: 5U5ouw7ryf.exe String found in binary or memory: RFB 003.008
Source: 5U5ouw7ryf.exe, 00000000.00000002.1392817281.00000000001A6000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: RFB 003.008
Source: 5U5ouw7ryf.exe, 00000000.00000000.1373498367.00000000001A6000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: RFB 003.008
Source: svchost.exe String found in binary or memory: RFB 003.008
Source: svchost.exe String found in binary or memory: RFB 003.008
Source: svchost.exe, 00000002.00000002.2631715851.000000000010C000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: RFB 003.008
Source: svchost.exe, 00000002.00000002.2631643141.00000000000F1000.00000002.80000000.00040000.00000000.sdmp String found in binary or memory: RFB 003.008
Source: 5U5ouw7ryf.exe String found in binary or memory: RFB 003.008
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1416007 Sample: 5U5ouw7ryf.exe Startdate: 26/03/2024 Architecture: WINDOWS Score: 96 15 Malicious sample detected (through community Yara rule) 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 3 other signatures 2->21 6 5U5ouw7ryf.exe 2->6         started        process3 signatures4 23 Contains VNC / remote desktop functionality (version string found) 6->23 25 Writes to foreign memory regions 6->25 27 Allocates memory in foreign processes 6->27 29 2 other signatures 6->29 9 svchost.exe 6->9         started        process5 dnsIp6 13 141.11.93.195, 1081 FranceTelecom-OrangeFR United Kingdom 9->13 31 Contains VNC / remote desktop functionality (version string found) 9->31 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
141.11.93.195
 unknown United Kingdom
3215 FranceTelecom-OrangeFR false