Windows Analysis Report ZAXkflgLEq.exe

JA3 SSL client fingerprint seen in connection with other malware

Source: ZAXkflgLEq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: ZAXkflgLEq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wkernel32.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp

Source: Joe Sandbox View

JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: www.carssell.online

Source: dialer.exe, 00000001.00000002.2180075196.000000000327C000.00000004.00000010.00020000.00000000.sdmp

String found in binary or memory: https://www.carssell.online:443/b45c71e9ac60e42309ff71/ox15jpua.xlk0e

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49745 version: TLS 1.2

Creates a DirectInput object (often for capturing keystrokes)

Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_ce44904d-b

Installs a raw input device (often for capturing keystrokes)

Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_dd65927f-f

Yara detected Keylogger Generic

Source: Yara match	File source: 1.3.dialer.exe.58d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.56b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ZAXkflgLEq.exe.4720000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.56b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.58d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ZAXkflgLEq.exe.4940000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.56b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZAXkflgLEq.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dialer.exe PID: 7436, type: MEMORYSTR

Detected potential crypto function

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Code function: 0_2_00C90AA0

Sample file is different than original file name gathered from version info

Source: ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002D12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004898000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000002.1687647111.0000000000CAB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTCPZ.exe, vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000049ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004B21000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004843000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004A96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe	Binary or memory string: OriginalFilenameTCPZ.exe, vs ZAXkflgLEq.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: tapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: ZAXkflgLEq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@3/0@1/1

Source: C:\Windows\SysWOW64\dialer.exe

Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: ZAXkflgLEq.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\ZAXkflgLEq.exe "C:\Users\user\Desktop\ZAXkflgLEq.exe"
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\dialer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

PE file contains sections with non-standard names

Source: ZAXkflgLEq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ZAXkflgLEq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp

Source: ZAXkflgLEq.exe

Static PE information: section name: .textbss

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C95AF4 pushad ; retf	0_3_00C95B03
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C96285 push F693B671h; retf	0_3_00C9628A
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C97C52 push dword ptr [edx+ebp+3Bh]; retf	0_3_00C97C5F
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C95DCE push edi; iretd	0_3_00C95DD5
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C96F48 push es; ret	0_3_00C96F49
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C92F4E push eax; retf	0_3_00C92F4F
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C9416F push ecx; iretd	0_3_00C9417B
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C9657C push esi; ret	0_3_00C96580
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C9412F pushad ; ret	0_3_00C94137
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C49429 push cs; retf	0_2_00C49565
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C48964 push ebx; retf	0_2_00C48965
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C4750E push ds; iretd	0_2_00C47517
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C51269 push edx; retf	0_2_00C51422
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C4FF22 push edi; iretd	0_2_00C4FF2D
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03284305 push F693B671h; retf	1_3_0328430A
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03283B74 pushad ; retf	1_3_03283B83
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_032821AF pushad ; ret	1_3_032821B7
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_032821EF push ecx; iretd	1_3_032821FB
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_032845FC push esi; ret	1_3_03284600
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03284FC8 push es; ret	1_3_03284FC9
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03280FCE push eax; retf	1_3_03280FCF
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03283E4E push edi; iretd	1_3_03283E55
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03285CD2 push dword ptr [edx+ebp+3Bh]; retf	1_3_03285CDF

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEP
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: dialer.exe, 00000001.00000002.2180219972.00000000034E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Process information queried: ProcessInformation

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C92277 mov eax, dword ptr fs:[00000030h]	0_3_00C92277
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C92277 mov eax, dword ptr fs:[00000030h]	0_2_00C92277
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_0328027F mov eax, dword ptr fs:[00000030h]	1_3_0328027F

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Code function: 0_2_00C90AA0 HeapCreate,HeapAlloc,HeapAlloc,GetModuleHandleA,HeapAlloc,CreateEventA,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,HeapFree,WaitForSingleObject,FindCloseChangeNotification,VirtualFree,GetProcessHeap,HeapFree,HeapDestroy,

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"

AV process strings found (often used to terminate AV products)

Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OllyDbg.exe

Stealing of Sensitive Information

Source: Yara match	File source: 00000001.00000003.1687455325.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684570895.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687219829.0000000003DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2180403207.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Antivirus / Scanner detection for submitted sample

Source: Yara match	File source: 00000001.00000003.1687455325.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684570895.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687219829.0000000003DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2180403207.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.92.254.230	www.carssell.online	Bulgaria		34368	THEZONEBG	false

Contacted Domains

Name	IP	Active
www.carssell.online	91.92.254.230	true

AV Detection

Source: ZAXkflgLEq.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: ZAXkflgLEq.exe

ReversingLabs: Detection: 71%

Machine Learning detection for sample

Source: ZAXkflgLEq.exe

Joe Sandbox ML: detected

JA3 SSL client fingerprint seen in connection with other malware

Source: ZAXkflgLEq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: ZAXkflgLEq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wkernel32.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp

Source: Joe Sandbox View

JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: www.carssell.online

Source: dialer.exe, 00000001.00000002.2180075196.000000000327C000.00000004.00000010.00020000.00000000.sdmp

String found in binary or memory: https://www.carssell.online:443/b45c71e9ac60e42309ff71/ox15jpua.xlk0e

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.92.254.230:443 -> 192.168.2.4:49745 version: TLS 1.2

Creates a DirectInput object (often for capturing keystrokes)

Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_ce44904d-b

Installs a raw input device (often for capturing keystrokes)

Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_dd65927f-f

Yara detected Keylogger Generic

Source: Yara match	File source: 1.3.dialer.exe.58d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.56b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ZAXkflgLEq.exe.4720000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.56b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.58d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.ZAXkflgLEq.exe.4940000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.dialer.exe.56b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZAXkflgLEq.exe PID: 7392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dialer.exe PID: 7436, type: MEMORYSTR

Detected potential crypto function

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Code function: 0_2_00C90AA0

Sample file is different than original file name gathered from version info

Source: ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002D12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004898000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000002.1687647111.0000000000CAB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTCPZ.exe, vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000049ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004B21000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004843000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004A96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZAXkflgLEq.exe
Source: ZAXkflgLEq.exe	Binary or memory string: OriginalFilenameTCPZ.exe, vs ZAXkflgLEq.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: tapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: ZAXkflgLEq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@3/0@1/1

Source: C:\Windows\SysWOW64\dialer.exe

Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}

Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: ZAXkflgLEq.exe

ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\ZAXkflgLEq.exe "C:\Users\user\Desktop\ZAXkflgLEq.exe"
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\dialer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

PE file contains sections with non-standard names

Source: ZAXkflgLEq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ZAXkflgLEq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1685443447.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685589224.0000000004910000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688366710.00000000058A0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688216506.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZAXkflgLEq.exe, 00000000.00000003.1685818446.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1685939143.00000000048C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688685540.0000000005850000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688561745.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686332148.0000000004720000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686637669.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689171130.00000000058D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: ZAXkflgLEq.exe, 00000000.00000003.1686157181.00000000047A0000.00000004.00000001.00020000.00000000.sdmp, ZAXkflgLEq.exe, 00000000.00000003.1686101457.0000000002C80000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688891903.00000000057D0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000001.00000003.1688827463.00000000056B0000.00000004.00000001.00020000.00000000.sdmp

Source: ZAXkflgLEq.exe

Static PE information: section name: .textbss

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C95AF4 pushad ; retf	0_3_00C95B03
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C96285 push F693B671h; retf	0_3_00C9628A
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C97C52 push dword ptr [edx+ebp+3Bh]; retf	0_3_00C97C5F
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C95DCE push edi; iretd	0_3_00C95DD5
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C96F48 push es; ret	0_3_00C96F49
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C92F4E push eax; retf	0_3_00C92F4F
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C9416F push ecx; iretd	0_3_00C9417B
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C9657C push esi; ret	0_3_00C96580
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C9412F pushad ; ret	0_3_00C94137
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C49429 push cs; retf	0_2_00C49565
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C48964 push ebx; retf	0_2_00C48965
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C4750E push ds; iretd	0_2_00C47517
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C51269 push edx; retf	0_2_00C51422
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C4FF22 push edi; iretd	0_2_00C4FF2D
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03284305 push F693B671h; retf	1_3_0328430A
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03283B74 pushad ; retf	1_3_03283B83
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_032821AF pushad ; ret	1_3_032821B7
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_032821EF push ecx; iretd	1_3_032821FB
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_032845FC push esi; ret	1_3_03284600
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03284FC8 push es; ret	1_3_03284FC9
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03280FCE push eax; retf	1_3_03280FCF
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03283E4E push edi; iretd	1_3_03283E55
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_03285CD2 push dword ptr [edx+ebp+3Bh]; retf	1_3_03285CDF

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEP
Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDUMP.EXE

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: dialer.exe, 00000001.00000002.2180219972.00000000034E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: dialer.exe, 00000001.00000003.1689027079.00000000056B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Process information queried: ProcessInformation

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_3_00C92277 mov eax, dword ptr fs:[00000030h]	0_3_00C92277
Source: C:\Users\user\Desktop\ZAXkflgLEq.exe	Code function: 0_2_00C92277 mov eax, dword ptr fs:[00000030h]	0_2_00C92277
Source: C:\Windows\SysWOW64\dialer.exe	Code function: 1_3_0328027F mov eax, dword ptr fs:[00000030h]	1_3_0328027F

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ZAXkflgLEq.exe

Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"

AV process strings found (often used to terminate AV products)

Source: dialer.exe, 00000001.00000002.2180370129.00000000036C0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OllyDbg.exe

Stealing of Sensitive Information

Source: Yara match	File source: 00000001.00000003.1687455325.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1684570895.00000000010B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1687219829.0000000003DE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2180403207.0000000004E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality