Windows Analysis Report
E3XzKxHCCb.exe

Overview

General Information

Sample name:	E3XzKxHCCb.exe renamed because original name is a hash value
Original sample name:	7f77b237f660c6ef5aa674dbe4d3b38f.exe
Analysis ID:	1429287
MD5:	7f77b237f660c6ef5aa674dbe4d3b38f
SHA1:	5ab81981753086557187a7ae3fd4a3fb4e86b2a1
SHA256:	b86c86fa3321ed97a4e5b0346dd482fcb910cbe8e996e46b125db3b5a58f790c
Tags:	32exetrojanXWorm
Infos:

Detection

XWorm

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected XWorm

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

AV process strings found (often used to terminate AV products)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: E3XzKxHCCb.exe

Avira: detected

Found malware configuration

Source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack

Malware Configuration Extractor: Xworm {"C2 url": ["67.213.221.11"], "Port": "2554", "Aes key": "2554", "Install file": "USB.exe", "Version": "XWorm V2.1"}

Multi AV Scanner detection for submitted file

Source: E3XzKxHCCb.exe	ReversingLabs: Detection: 23%
Source: E3XzKxHCCb.exe	Virustotal: Detection: 34%			Perma Link

Uses 32bit PE files

Source: E3XzKxHCCb.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.187.200:443 -> 192.168.2.4:49730 version: TLS 1.2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 67.213.221.11

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.187.200 172.67.187.200
Source: Joe Sandbox View	IP Address: 172.67.187.200 172.67.187.200

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /r/tC4AK HTTP/1.1User-Agent: HimanenHost: paste.ee

Source: unknown

DNS traffic detected: queries for: paste.ee

Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exmple.com/Uploader.php
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AK
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKD_
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKp
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 172.67.187.200:443 -> 192.168.2.4:49730 version: TLS 1.2

One or more processes crash

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6756 -s 1196

Sample file is different than original file name gathered from version info

Source: E3XzKxHCCb.exe, 00000000.00000000.1708874802.0000000000709000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBas.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD vs E3XzKxHCCb.exe
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameServicePack.exe4 vs E3XzKxHCCb.exe
Source: E3XzKxHCCb.exe	Binary or memory string: OriginalFilenameBas.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD vs E3XzKxHCCb.exe

Uses 32bit PE files

Source: E3XzKxHCCb.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/6@1/1

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6756

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe

File created: C:\Users\user\AppData\Local\Temp\~DF119D786586100221.TMP

Jump to behavior

Source: E3XzKxHCCb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: E3XzKxHCCb.exe	ReversingLabs: Detection: 23%
Source: E3XzKxHCCb.exe	Virustotal: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\E3XzKxHCCb.exe "C:\Users\user\Desktop\E3XzKxHCCb.exe"
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6756 -s 1196

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: E3XzKxHCCb.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: E3XzKxHCCb.exe

Static file information: File size 3162112 > 1048576

Source: E3XzKxHCCb.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x26a000

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack, Helper.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

PE file contains an invalid checksum

Source: E3XzKxHCCb.exe

Static PE information: real checksum: 0x3095ab should be: 0x313a04

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_004058FA push ds; ret	0_2_00405902
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_004038AC push ds; iretd	0_2_00403902
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_00403DD1 push ds; iretd	0_2_00403DD2
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_004079EA push ds; retf	0_2_00407A46
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_00409A1E push ds; iretd	0_2_00409A2F
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_00406F17 push dword ptr [ebp+7Ch]; ret	0_2_00406F1A
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_00407B20 push ds; ret	0_2_00407B2A

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000992000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.E3XzKxHCCb.exe.94d318.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: E3XzKxHCCb.exe PID: 6756, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.E3XzKxHCCb.exe.94d318.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: E3XzKxHCCb.exe PID: 6756, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.187.200	paste.ee	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
paste.ee	172.67.187.200	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.ee/r/tC4AK	false		high
67.213.221.11	true	4%, Virustotal, Browse	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: E3XzKxHCCb.exe

Avira: detected

Found malware configuration

Source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack

Malware Configuration Extractor: Xworm {"C2 url": ["67.213.221.11"], "Port": "2554", "Aes key": "2554", "Install file": "USB.exe", "Version": "XWorm V2.1"}

Multi AV Scanner detection for submitted file

Source: E3XzKxHCCb.exe	ReversingLabs: Detection: 23%
Source: E3XzKxHCCb.exe	Virustotal: Detection: 34%			Perma Link

Uses 32bit PE files

Source: E3XzKxHCCb.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.187.200:443 -> 192.168.2.4:49730 version: TLS 1.2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 67.213.221.11

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.187.200 172.67.187.200
Source: Joe Sandbox View	IP Address: 172.67.187.200 172.67.187.200

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /r/tC4AK HTTP/1.1User-Agent: HimanenHost: paste.ee

Source: unknown

DNS traffic detected: queries for: paste.ee

Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exmple.com/Uploader.php
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AK
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKD_
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/r/tC4AKp
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000977000.00000004.00000020.00020000.00000000.sdmp, E3XzKxHCCb.exe, 00000000.00000002.1970824579.00000000009A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 172.67.187.200:443 -> 192.168.2.4:49730 version: TLS 1.2

One or more processes crash

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6756 -s 1196

Sample file is different than original file name gathered from version info

Source: E3XzKxHCCb.exe, 00000000.00000000.1708874802.0000000000709000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBas.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD vs E3XzKxHCCb.exe
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameServicePack.exe4 vs E3XzKxHCCb.exe
Source: E3XzKxHCCb.exe	Binary or memory string: OriginalFilenameBas.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD vs E3XzKxHCCb.exe

Uses 32bit PE files

Source: E3XzKxHCCb.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/6@1/1

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6756

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe

File created: C:\Users\user\AppData\Local\Temp\~DF119D786586100221.TMP

Jump to behavior

Source: E3XzKxHCCb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: E3XzKxHCCb.exe	ReversingLabs: Detection: 23%
Source: E3XzKxHCCb.exe	Virustotal: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\E3XzKxHCCb.exe "C:\Users\user\Desktop\E3XzKxHCCb.exe"
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6756 -s 1196

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: E3XzKxHCCb.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: E3XzKxHCCb.exe

Static file information: File size 3162112 > 1048576

Source: E3XzKxHCCb.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x26a000

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack, Helper.cs

.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

PE file contains an invalid checksum

Source: E3XzKxHCCb.exe

Static PE information: real checksum: 0x3095ab should be: 0x313a04

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_004058FA push ds; ret	0_2_00405902
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_004038AC push ds; iretd	0_2_00403902
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_00403DD1 push ds; iretd	0_2_00403DD2
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_004079EA push ds; retf	0_2_00407A46
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_00409A1E push ds; iretd	0_2_00409A2F
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_00406F17 push dword ptr [ebp+7Ch]; ret	0_2_00406F1A
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Code function: 0_2_00407B20 push ds; ret	0_2_00407B2A

Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\E3XzKxHCCb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000992000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: E3XzKxHCCb.exe, 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.E3XzKxHCCb.exe.94d318.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: E3XzKxHCCb.exe PID: 6756, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.E3XzKxHCCb.exe.94d318.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.E3XzKxHCCb.exe.94d318.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1970824579.0000000000930000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: E3XzKxHCCb.exe PID: 6756, type: MEMORYSTR

ID:	1429287
Product:	CloudBasic
Start time:	21:08:10
Start date:	21.04.2024
Sample:	E3XzKxHCCb.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7f77b237f660c6ef5aa674dbe4d3b38f
SHA1:	5ab81981753086557187a7ae3fd4a3fb4e86b2a1
SHA256:	b86c86fa3321ed97a4e5b0346dd482fcb910cbe8e996e46b125db3b5a58f790c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E3XzKxHCCb.exe_5f6fac996cd6656027e6f48caa533a8bfc512bfa_26ffd3d4_df49065c-3ed9-400e-8a09-f22e98155476\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	E0D541941C859454F4087F9DDD014A57	CFEA46699E0ADD0D391AA3F4402F79090CF91456	1A0185F14BC7D0D920850E6BB9FE0A0EB7A024DD84CDEA76FC05058C1D3101ED
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA62.tmp.dmp	Mini DuMP crash report, 14 streams, Sun Apr 21 19:09:15 2024, 0x1205a4 type	F080059D1A1FCA5A3F9C5E84047BD713	6D500B2AEB85A7747E371C447B36B39271A72F7F	4D0A8C7F5B8648C815E6D25BF9BC0827935C3621D47E4B7B9D3C3C2C4FC5CD36
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB7C.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	43FF4F3EB1424E61F4EC48506049C9E9	52CB92F7F03B2C09CC44533907B325DE1D4CC5C4	E5F79DFEB940A6121218B53A586034AB035EC16F0920D773FE13DEC06A740A7F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBAC.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	DF76343EDC1999F701A34E32479D9F58	0DB241C8EB61395F45DD80D0ED4EAB1A8ADFD8EF	1F087366FF79201CCBDFBF247AAFC98DB1505EA65054A6848D62F979D90ED944
C:\Users\user\AppData\Local\Temp\~DF119D786586100221.TMP	Composite Document File V2 Document, Cannot read section info	E0B8C91D2A1312F1A5F64C488F9F9D27	751AB6CB79AF075433414701B435A25C6BB0FE94	1D2987A8B152EC69A9AB08BAF5AE48BFD4EF8218BAE2CB1CB921FFCD7AD733BB
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	5D245D6A7DDC3256127C26FDB16BE25D	872D94CA84169D6CF5EE05EDE23B0BE9662D900A	0C372FCDE302FB085A2D1F6970B99A13EC5F4ED2AC1C87F5B2CCE409F50770F3

Windows Analysis Report
E3XzKxHCCb.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report E3XzKxHCCb.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
E3XzKxHCCb.exe

Malware Threat Intel
Provided by