Windows Analysis Report Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

File created: C:\Users\user\Desktop\Portable-VirtualBox\ReadMe.txt

Source:	Binary string: H:\Projects\WinpkFilter\Setup\i386\snetcfg.pdbL4 source: snetcfg_x86.exe.0.dr
Source:	Binary string: H:\Projects\WinpkFilter\Setup\i386\snetcfg.pdb source: snetcfg_x86.exe.0.dr
Source:	Binary string: H:\Exchange\WinpkFilter\Setup\amd64\snetcfg.pdbH source: snetcfg_x64.exe.0.dr
Source:	Binary string: devcon.pdbhe source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp, devcon_x86.exe.0.dr
Source:	Binary string: H:\Exchange\WinpkFilter\Setup\amd64\snetcfg.pdb source: snetcfg_x64.exe.0.dr
Source:	Binary string: devcon.pdb source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp, devcon_x64.exe.0.dr, devcon_x86.exe.0.dr

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Code function: 0_2_00404BAF __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,

Snort IDS alert for network traffic

Networking

Source: Traffic	Snort IDS: 2051493 ET CURRENT_EVENTS Parrot TDS Domain in DNS Lookup (apicachebot .com) 192.168.2.16:64434 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051493 ET CURRENT_EVENTS Parrot TDS Domain in DNS Lookup (apicachebot .com) 192.168.2.16:64608 -> 1.1.1.1:53

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, UpDate.au3.0.dr, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://creativecommons.org/licenses/by-nc-sa/3.0/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, vboxinstall.ini.0.dr	String found in binary or memory: http://download.virtualbox.org/virtualbox/5.1.22/Oracle_VM_VirtualBox_Extension_Pack-5.1.22-115126.v
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, vboxinstall.ini.0.dr	String found in binary or memory: http://download.virtualbox.org/virtualbox/5.1.22/VirtualBox-5.1.22-115126-Win.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://slayeroffice.com/tools/modi/v2.0/modi_help.html
Source: upx.exe.0.dr	String found in binary or memory: http://upx.sf.netT
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, ReadMe.txt.0.dr, LiesMich.txt.0.dr	String found in binary or memory: http://upx.sourceforge.net)
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://validator.w3.org/
Source: IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com/forum/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com/forum/index.php?act=Search
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com/forum/index.php?act=Search&CODE=01
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com/forum/index.php?showtopic=19368
Source: IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com/images/autoit_6_240x100.jpg
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.debugbar.com/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.fiddlertool.com/fiddler/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, ReadMe.txt.0.dr, LiesMich.txt.0.dr	String found in binary or memory: http://www.matcode.com/mpress.htm)
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, UpDate.au3.0.dr, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://www.vbox.me
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, ReadMe.txt.0.dr, LiesMich.txt.0.dr	String found in binary or memory: http://www.vbox.me/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, vboxinstall.ini.0.dr	String found in binary or memory: http://www.vbox.me/update/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://www.virtualbox.org
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, ReadMe.txt.0.dr, LiesMich.txt.0.dr	String found in binary or memory: http://www.virtualbox.org)
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://www.virtualbox.org/wiki/VirtualBox_PUEL
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://www.win-lite.de/wbb/index.php?page=Board&&&boardID=153
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, UpDate.au3.0.dr, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://www.win-lite.de/wbb/index.php?page=Board&boardID=153

Detected potential crypto function

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041C000	0_2_0041C000
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041C1C0	0_2_0041C1C0
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041D5B3	0_2_0041D5B3
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041B6A0	0_2_0041B6A0
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041C6B0	0_2_0041C6B0
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041D741	0_2_0041D741
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_00419740	0_2_00419740
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041472D	0_2_0041472D
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041D81B	0_2_0041D81B
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041B8A0	0_2_0041B8A0
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041BC50	0_2_0041BC50
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_00402DAC	0_2_00402DAC
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_00417FA4	0_2_00417FA4

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\7za.exe E0E2C7D0F740FE2A4E8658CE54DFB6EB3C47C37FE90A44A839E560C685F1F1FA

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: String function: 0041D040 appears 260 times
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: String function: 004030DA appears 45 times

Sample file is different than original file name gathered from version info

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000002.1243107183.000000000042D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000002.1243532681.0000000002A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7za.exe, vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLLj% vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamempress.exe. vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1237773866.0000000002A61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Binary or memory string: OriginalFilename7z.sfx.exe, vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: wintypes.dll	Jump to behavior

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: upx.exe.0.dr

Static PE information: Section: UPX1 ZLIB complexity 0.9966835035523979

Source: Portable-VirtualBox.au3.0.dr	Binary string: RunWait (@ScriptDir &"\data\tools\devcon_x64.exe install .\"& $arch &"\drivers\USB\device\VBoxUSB.inf ""USB\VID_80EE&PID_CAFE""", @ScriptDir, @SW_HIDE)
Source: Portable-VirtualBox.au3.0.dr	Binary string: RunWait (@ScriptDir &"\data\tools\devcon_x86.exe install .\"& $arch &"\drivers\USB\device\VBoxUSB.inf ""USB\VID_80EE&PID_CAFE""", @ScriptDir, @SW_HIDE)
Source: Portable-VirtualBox.au3.0.dr	Binary string: FileCopy (@ScriptDir&"\"& $arch &"\drivers\USB\device\VBoxUSB.sys", @SystemDir&"\drivers", 9)

Source: classification engine

Classification label: mal56.winEXE@1/38@0/0

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

File created: C:\Users\user\Desktop\Portable-VirtualBox

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

File read: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

File written: C:\Users\user\Desktop\Portable-VirtualBox\data\language\catalan.ini

Entry point lies outside standard sections

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Static file information: File size 1420220 > 1048576

Source:	Binary string: H:\Projects\WinpkFilter\Setup\i386\snetcfg.pdbL4 source: snetcfg_x86.exe.0.dr
Source:	Binary string: H:\Projects\WinpkFilter\Setup\i386\snetcfg.pdb source: snetcfg_x86.exe.0.dr
Source:	Binary string: H:\Exchange\WinpkFilter\Setup\amd64\snetcfg.pdbH source: snetcfg_x64.exe.0.dr
Source:	Binary string: devcon.pdbhe source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp, devcon_x86.exe.0.dr
Source:	Binary string: H:\Exchange\WinpkFilter\Setup\amd64\snetcfg.pdb source: snetcfg_x64.exe.0.dr
Source:	Binary string: devcon.pdb source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp, devcon_x64.exe.0.dr, devcon_x86.exe.0.dr

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

PE file contains sections with non-standard names

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Static PE information: section name: .sxdata
Source: 7za.exe.0.dr	Static PE information: section name: .sxdata
Source: mpress.exe.0.dr	Static PE information: section name: .MPRESS1
Source: mpress.exe.0.dr	Static PE information: section name: .MPRESS2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041D040 push eax; ret		0_2_0041D05E
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_00418340 push ecx; mov dword ptr [esp], ecx		0_2_00418341

Source: mpress.exe.0.dr

Static PE information: section name: .MPRESS1 entropy: 7.695871632555273

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\devcon_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\snetcfg_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\mpress.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\snetcfg_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\Portable-VirtualBox.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\7za.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\devcon_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\upx.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

File created: C:\Users\user\Desktop\Portable-VirtualBox\ReadMe.txt

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\devcon_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\snetcfg_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\mpress.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\snetcfg_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\Portable-VirtualBox.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\7za.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\devcon_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\upx.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Code function: 0_2_00404BAF __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,

Machine Learning detection for dropped file

Source: Portable-VirtualBox.au3.0.dr	Binary or memory string: RunWait ("cmd /c upx VBoxGuestPropSvc.dll", @ScriptDir&"\app32", @SW_HIDE)
Source: LiesMich.txt.0.dr	Binary or memory string: r die "VBoxGuestAdditions.iso" bei der
Source: ReadMe.txt.0.dr	Binary or memory string: - a common file for "VBoxGuestAdditions.iso" by 32Bit/64Bit-
Source: Portable-VirtualBox.au3.0.dr	Binary or memory string: RunWait ("cmd /c mpress VBoxGuestPropSvc.dll", @ScriptDir&"\app64", @SW_HIDE)

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, Portable-VirtualBox.exe.0.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Code function: 0_2_00418540 GetVersionExA,

0_2_00418540

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Source: C:\Users\user\Desktop\Portable-VirtualBox\Portable-VirtualBox.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\mpress.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Joe Sandbox ML: detected

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

File created: C:\Users\user\Desktop\Portable-VirtualBox\ReadMe.txt

Source:	Binary string: H:\Projects\WinpkFilter\Setup\i386\snetcfg.pdbL4 source: snetcfg_x86.exe.0.dr
Source:	Binary string: H:\Projects\WinpkFilter\Setup\i386\snetcfg.pdb source: snetcfg_x86.exe.0.dr
Source:	Binary string: H:\Exchange\WinpkFilter\Setup\amd64\snetcfg.pdbH source: snetcfg_x64.exe.0.dr
Source:	Binary string: devcon.pdbhe source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp, devcon_x86.exe.0.dr
Source:	Binary string: H:\Exchange\WinpkFilter\Setup\amd64\snetcfg.pdb source: snetcfg_x64.exe.0.dr
Source:	Binary string: devcon.pdb source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp, devcon_x64.exe.0.dr, devcon_x86.exe.0.dr

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Code function: 0_2_00404BAF __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,

Snort IDS alert for network traffic

Networking

Source: Traffic	Snort IDS: 2051493 ET CURRENT_EVENTS Parrot TDS Domain in DNS Lookup (apicachebot .com) 192.168.2.16:64434 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2051493 ET CURRENT_EVENTS Parrot TDS Domain in DNS Lookup (apicachebot .com) 192.168.2.16:64608 -> 1.1.1.1:53

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, UpDate.au3.0.dr, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://creativecommons.org/licenses/by-nc-sa/3.0/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, vboxinstall.ini.0.dr	String found in binary or memory: http://download.virtualbox.org/virtualbox/5.1.22/Oracle_VM_VirtualBox_Extension_Pack-5.1.22-115126.v
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, vboxinstall.ini.0.dr	String found in binary or memory: http://download.virtualbox.org/virtualbox/5.1.22/VirtualBox-5.1.22-115126-Win.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://slayeroffice.com/tools/modi/v2.0/modi_help.html
Source: upx.exe.0.dr	String found in binary or memory: http://upx.sf.netT
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, ReadMe.txt.0.dr, LiesMich.txt.0.dr	String found in binary or memory: http://upx.sourceforge.net)
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://validator.w3.org/
Source: IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com/forum/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com/forum/index.php?act=Search
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com/forum/index.php?act=Search&CODE=01
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com/forum/index.php?showtopic=19368
Source: IE.au3.0.dr	String found in binary or memory: http://www.autoitscript.com/images/autoit_6_240x100.jpg
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.debugbar.com/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, IE.au3.0.dr	String found in binary or memory: http://www.fiddlertool.com/fiddler/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, ReadMe.txt.0.dr, LiesMich.txt.0.dr	String found in binary or memory: http://www.matcode.com/mpress.htm)
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, UpDate.au3.0.dr, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://www.vbox.me
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, ReadMe.txt.0.dr, LiesMich.txt.0.dr	String found in binary or memory: http://www.vbox.me/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, vboxinstall.ini.0.dr	String found in binary or memory: http://www.vbox.me/update/
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://www.virtualbox.org
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, ReadMe.txt.0.dr, LiesMich.txt.0.dr	String found in binary or memory: http://www.virtualbox.org)
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://www.virtualbox.org/wiki/VirtualBox_PUEL
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://www.win-lite.de/wbb/index.php?page=Board&&&boardID=153
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1239424836.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, UpDate.au3.0.dr, Portable-VirtualBox.au3.0.dr	String found in binary or memory: http://www.win-lite.de/wbb/index.php?page=Board&boardID=153

Detected potential crypto function

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041C000	0_2_0041C000
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041C1C0	0_2_0041C1C0
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041D5B3	0_2_0041D5B3
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041B6A0	0_2_0041B6A0
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041C6B0	0_2_0041C6B0
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041D741	0_2_0041D741
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_00419740	0_2_00419740
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041472D	0_2_0041472D
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041D81B	0_2_0041D81B
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041B8A0	0_2_0041B8A0
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041BC50	0_2_0041BC50
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_00402DAC	0_2_00402DAC
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_00417FA4	0_2_00417FA4

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\7za.exe E0E2C7D0F740FE2A4E8658CE54DFB6EB3C47C37FE90A44A839E560C685F1F1FA

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: String function: 0041D040 appears 260 times
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: String function: 004030DA appears 45 times

Sample file is different than original file name gathered from version info

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000002.1243107183.000000000042D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000002.1243532681.0000000002A60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7za.exe, vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLLj% vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamempress.exe. vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1237773866.0000000002A61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe
Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Binary or memory string: OriginalFilename7z.sfx.exe, vs Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Section loaded: wintypes.dll	Jump to behavior

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: upx.exe.0.dr

Static PE information: Section: UPX1 ZLIB complexity 0.9966835035523979

Source: Portable-VirtualBox.au3.0.dr	Binary string: RunWait (@ScriptDir &"\data\tools\devcon_x64.exe install .\"& $arch &"\drivers\USB\device\VBoxUSB.inf ""USB\VID_80EE&PID_CAFE""", @ScriptDir, @SW_HIDE)
Source: Portable-VirtualBox.au3.0.dr	Binary string: RunWait (@ScriptDir &"\data\tools\devcon_x86.exe install .\"& $arch &"\drivers\USB\device\VBoxUSB.inf ""USB\VID_80EE&PID_CAFE""", @ScriptDir, @SW_HIDE)
Source: Portable-VirtualBox.au3.0.dr	Binary string: FileCopy (@ScriptDir&"\"& $arch &"\drivers\USB\device\VBoxUSB.sys", @SystemDir&"\drivers", 9)

Source: classification engine

Classification label: mal56.winEXE@1/38@0/0

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

File created: C:\Users\user\Desktop\Portable-VirtualBox

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

File read: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

File written: C:\Users\user\Desktop\Portable-VirtualBox\data\language\catalan.ini

Entry point lies outside standard sections

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Static file information: File size 1420220 > 1048576

Source:	Binary string: H:\Projects\WinpkFilter\Setup\i386\snetcfg.pdbL4 source: snetcfg_x86.exe.0.dr
Source:	Binary string: H:\Projects\WinpkFilter\Setup\i386\snetcfg.pdb source: snetcfg_x86.exe.0.dr
Source:	Binary string: H:\Exchange\WinpkFilter\Setup\amd64\snetcfg.pdbH source: snetcfg_x64.exe.0.dr
Source:	Binary string: devcon.pdbhe source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp, devcon_x86.exe.0.dr
Source:	Binary string: H:\Exchange\WinpkFilter\Setup\amd64\snetcfg.pdb source: snetcfg_x64.exe.0.dr
Source:	Binary string: devcon.pdb source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe, 00000000.00000003.1242341333.0000000004BF1000.00000004.00000020.00020000.00000000.sdmp, devcon_x64.exe.0.dr, devcon_x86.exe.0.dr

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

PE file contains sections with non-standard names

Source: Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Static PE information: section name: .sxdata
Source: 7za.exe.0.dr	Static PE information: section name: .sxdata
Source: mpress.exe.0.dr	Static PE information: section name: .MPRESS1
Source: mpress.exe.0.dr	Static PE information: section name: .MPRESS2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_0041D040 push eax; ret		0_2_0041D05E
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Code function: 0_2_00418340 push ecx; mov dword ptr [esp], ecx		0_2_00418341

Source: mpress.exe.0.dr

Static PE information: section name: .MPRESS1 entropy: 7.695871632555273

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\devcon_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\snetcfg_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\mpress.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\snetcfg_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\Portable-VirtualBox.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\7za.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\devcon_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	File created: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\upx.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

File created: C:\Users\user\Desktop\Portable-VirtualBox\ReadMe.txt

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\devcon_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\snetcfg_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\mpress.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\snetcfg_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\Portable-VirtualBox.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\7za.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\devcon_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Portable-VirtualBox\data\tools\upx.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Portable-VirtualBox_v5.1.22-Starter_v6.4.10-Win_all.exe

Code function: 0_2_00404BAF __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,