Windows Analysis Report
SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe

Overview

General Information

Sample name: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Analysis ID: 1431466
MD5: dda215e4c93c5bcd1626d798a9114052
SHA1: 686205c045db9236cb7a76cc48a4759f3a775bed
SHA256: 786c781885708a2dd6f66a997cda19fa13f06542a1c5f35c50619494d45d2cb9
Tags: exe
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample is not signed and drops a device driver
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to load drivers
Contains functionality to modify clipboard data
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables driver privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Spawns drivers

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe ReversingLabs: Detection: 62%
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Virustotal: Detection: 67% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Virustotal: Detection: 48% Perma Link
Machine Learning detection for dropped file
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Joe Sandbox ML: detected
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\ESP Valorant C++\Cheat Valorant ESP - Private Store\x64\Release\YARREAK PROJE.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: Binary string: D:\XD\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb11 source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr
Source: Binary string: eD:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\ESP Valorant C++\Cheat Valorant ESP - Private Store\x64\Release\YARREAK PROJE.pdb3,,GCTL source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: Binary string: C:\Users\textx\source\repos\democ_free\kernelmod\x64\Release\drv.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.sys.0.dr
Source: Binary string: D:\XD\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr
Source: Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr
Source: Binary string: PwC:\Users\textx\source\repos\democ_free\kernelmod\x64\Release\drv.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.sys.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr String found in binary or memory: http://ocsp.thawte.com0
Source: bugado.exe, 00000003.00000002.2096634574.0000013A43F3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.veH
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725803F10 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard, 0_2_00007FF725803F10
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725803F10 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard, 0_2_00007FF725803F10
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725803CC0 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,malloc,memmove,free,GlobalUnlock,CloseClipboard, 0_2_00007FF725803CC0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF7258340A0 SleepEx,SleepEx,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,GetAsyncKeyState,AllocConsole,FindWindowA,ShowWindow,MessageBoxA,Sleep, 0_2_00007FF7258340A0
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725832D90 GetClientRect,QueryPerformanceCounter,GetKeyState,GetKeyState,GetKeyState,ClientToScreen,SetCursorPos,GetActiveWindow,GetCursorPos,ScreenToClient,GetAsyncKeyState, 0_2_00007FF725832D90
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF61758D520 RegCreateKeyW,RegSetKeyValueW,RegCloseKey,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,RegSetKeyValueW,RegCloseKey,RegCloseKey,GetModuleHandleA,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,RtlInitUnicodeString,NtLoadDriver,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 3_2_00007FF61758D520
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF617582A90 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree, 3_2_00007FF617582A90
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF61758DF00 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn, 3_2_00007FF61758DF00
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725834EC0: DeviceIoControl, 0_2_00007FF725834EC0
Contains functionality to load drivers
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF61758D520 RegCreateKeyW,RegSetKeyValueW,RegCloseKey,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,RegSetKeyValueW,RegCloseKey,RegCloseKey,GetModuleHandleA,GetProcAddress,GetProcAddress,RtlAdjustPrivilege,RtlInitUnicodeString,NtLoadDriver,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 3_2_00007FF61758D520
Creates driver files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File created: C:\Windows\SoftwareDistribution\Download\bugado.sys Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File created: C:\Windows\SoftwareDistribution\Download\bugado.sys Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File created: C:\Windows\SoftwareDistribution\Download\bugado.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF7258016C0 0_2_00007FF7258016C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF7258202E0 0_2_00007FF7258202E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF7258082E0 0_2_00007FF7258082E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF72580AAE0 0_2_00007FF72580AAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF72580EA30 0_2_00007FF72580EA30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725811650 0_2_00007FF725811650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF72582CA40 0_2_00007FF72582CA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF72580B660 0_2_00007FF72580B660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725828DB0 0_2_00007FF725828DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF7257FF1D0 0_2_00007FF7257FF1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725826210 0_2_00007FF725826210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF7257FC615 0_2_00007FF7257FC615
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725807210 0_2_00007FF725807210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725818120 0_2_00007FF725818120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF7257F2D70 0_2_00007FF7257F2D70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725824160 0_2_00007FF725824160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725809D60 0_2_00007FF725809D60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725832D90 0_2_00007FF725832D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF72580A580 0_2_00007FF72580A580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF7258174D0 0_2_00007FF7258174D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF72580B8F0 0_2_00007FF72580B8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725836050 0_2_00007FF725836050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725801C50 0_2_00007FF725801C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725812870 0_2_00007FF725812870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF7258283E0 0_2_00007FF7258283E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725827B30 0_2_00007FF725827B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725809730 0_2_00007FF725809730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725818F20 0_2_00007FF725818F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF72580DB50 0_2_00007FF72580DB50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725814B50 0_2_00007FF725814B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725805B50 0_2_00007FF725805B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725813340 0_2_00007FF725813340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF72581CB70 0_2_00007FF72581CB70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725827F60 0_2_00007FF725827F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725821760 0_2_00007FF725821760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF72580BB80 0_2_00007FF72580BB80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF72580BF80 0_2_00007FF72580BF80
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF617581780 3_2_00007FF617581780
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF617582A90 3_2_00007FF617582A90
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh 4429F32DB1CC70567919D7D47B844A91CF1329A6CD116F582305F3B7B60CD60B
Enables driver privileges
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Process token adjusted: Load Driver Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: String function: 00007FF617585EE0 appears 80 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000002.4517630062.0000023F9BA64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000003.2394822838.0000023F9BA54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000002.4517982925.00007FF7258AE000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000003.2394565534.0000023F9BA54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000000.2074111889.00007FF7258AD000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000003.2394918831.0000023F9BA63000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, 00000000.00000003.2394884952.0000023F9BA5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Spawns drivers
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\uKPwkwKUWlbmzgNfgIh Jump to behavior
Source: bugado.exe.0.dr Binary string: Unknown exceptionbad array new lengthstring too longbad cast\\\.\Nal[-] \Device\Nal is already in use.[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver iqvw64e.sysntoskrnl.exe[-] Failed to get ntoskrnl.exe[-] Failed to ClearPiDDBCacheTable[-] Failed to ClearKernelHashBucketList[!] Failed to ClearMmUnloadedDrivers[<] Unloading vulnerable driver[!] Error dumping shit inside the disk[+] Vul driver data destroyed before unlink[-] Failed to translate virtual address 0x[-] Failed to map IO space of 0x[!] Failed to unmap IO space of physical address 0xMmAllocatePagesForMdl[!] Failed to find MmAlocatePagesForMdlMmMapLockedPagesSpecifyCache[!] Failed to find MmMapLockedPagesSpecifyCacheMmProtectMdlSystemAddress[!] Failed to find MmProtectMdlSystemAddressMmUnmapLockedPages[!] Failed to find MmUnmapLockedPagesMmFreePagesFromMdl[!] Failed to find MmFreePagesFromMdlExAllocatePoolWithTag[!] Failed to find ExAllocatePoolExFreePool[!] Failed to find device_object[!] Failed to find driver_object[!] Failed to find driver_section[!] Failed to find driver name[!] Failed to read driver name[!] Failed to write driver name length[+] MmUnloadedDrivers Cleaned: ExAcquireResourceExclusiveLite[!] Failed to find ExAcquireResourceExclusiveLiteExReleaseResourceLite[!] Failed to find ExReleaseResourceLiteRtlDeleteElementGenericTableAvl[!] Failed to find RtlDeleteElementGenericTableAvlRtlLookupElementGenericTableAvl[!] Failed to find RtlLookupElementGenericTableAvlxxxxxx????xxxxx????xxx????xxxxx????x????xx?x
Source: uKPwkwKUWlbmzgNfgIh.3.dr Binary string: \Device\Nal
Source: bugado.sys.0.dr Binary string: \Device\VGK_G091H
Source: classification engine Classification label: mal72.evad.winEXE@7/5@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF72582A410 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,CloseHandle,CloseHandle, 0_2_00007FF72582A410
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_03
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe File created: C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh Jump to behavior
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe ReversingLabs: Detection: 39%
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Virustotal: Detection: 48%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Process created: C:\Windows\SoftwareDistribution\Download\bugado.exe "C:\Windows\SoftwareDistribution\Download\bugado.exe" C:\Windows\SoftwareDistribution\Download\bugado.sys
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Process created: C:\Windows\SoftwareDistribution\Download\bugado.exe "C:\Windows\SoftwareDistribution\Download\bugado.exe" C:\Windows\SoftwareDistribution\Download\bugado.sys Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: twext.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: workfoldersshell.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: starttiledata.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: usermgrproxy.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: acppage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\ESP Valorant C++\Cheat Valorant ESP - Private Store\x64\Release\YARREAK PROJE.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: Binary string: D:\XD\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb11 source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr
Source: Binary string: eD:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\ESP Valorant C++\Cheat Valorant ESP - Private Store\x64\Release\YARREAK PROJE.pdb3,,GCTL source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe
Source: Binary string: C:\Users\textx\source\repos\democ_free\kernelmod\x64\Release\drv.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.sys.0.dr
Source: Binary string: D:\XD\kdmapper-master\kdmapper-master\x64\Release\kdmapper.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr
Source: Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.exe.0.dr, uKPwkwKUWlbmzgNfgIh.3.dr
Source: Binary string: PwC:\Users\textx\source\repos\democ_free\kernelmod\x64\Release\drv.pdb source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe, bugado.sys.0.dr
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Executable created and started: C:\Windows\SoftwareDistribution\Download\bugado.exe Jump to behavior
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File created: C:\Windows\SoftwareDistribution\Download\bugado.sys Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File created: C:\Windows\SoftwareDistribution\Download\bugado.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File created: C:\Windows\SoftwareDistribution\Download\bugado.sys Jump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe File created: C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File created: C:\Windows\SoftwareDistribution\Download\bugado.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File created: C:\Windows\SoftwareDistribution\Download\bugado.sys Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe File created: C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh Jump to dropped file
Creates or modifies windows services
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uKPwkwKUWlbmzgNfgIh Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF617582A90 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree, 3_2_00007FF617582A90
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Dropped PE file which has not been started: C:\Windows\SoftwareDistribution\Download\bugado.sys Jump to dropped file
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uKPwkwKUWlbmzgNfgIh Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe API coverage: 1.8 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725836D18 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF725836D18
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF61758EAC4 GetLastError,IsDebuggerPresent,OutputDebugStringW, 3_2_00007FF61758EAC4
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF617582A90 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree, 3_2_00007FF617582A90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725833B70 system,system,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,exit,GetModuleHandleA,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapReAlloc,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,system,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,exit, 0_2_00007FF725833B70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725836EC0 SetUnhandledExceptionFilter, 0_2_00007FF725836EC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF7258371F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7258371F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725836D18 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF725836D18
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF617589D10 SetUnhandledExceptionFilter,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,memcmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 3_2_00007FF617589D10
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF61758F884 SetUnhandledExceptionFilter, 3_2_00007FF61758F884
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF61758F6D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00007FF61758F6D8
Source: C:\Windows\SoftwareDistribution\Download\bugado.exe Code function: 3_2_00007FF61758F140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00007FF61758F140
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Process created: C:\Windows\SoftwareDistribution\Download\bugado.exe "C:\Windows\SoftwareDistribution\Download\bugado.exe" C:\Windows\SoftwareDistribution\Download\bugado.sys Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe Code function: 0_2_00007FF725836F74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF725836F74
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431466 Sample: SecuriteInfo.com.Variant.Do... Startdate: 25/04/2024 Architecture: WINDOWS Score: 72 27 Multi AV Scanner detection for submitted file 2->27 29 Machine Learning detection for sample 2->29 7 SecuriteInfo.com.Variant.Doina.72984.2628.5521.exe 4 2->7         started        process3 file4 21 C:\Windows\...\bugado.sys, PE32+ 7->21 dropped 23 C:\Windows\...\bugado.exe, PE32+ 7->23 dropped 31 Drops executables to the windows directory (C:\Windows) and starts them 7->31 33 Sample is not signed and drops a device driver 7->33 11 bugado.exe 2 2 7->11         started        15 conhost.exe 7->15         started        17 cmd.exe 1 7->17         started        signatures5 process6 file7 25 C:\Users\user\AppData\...\uKPwkwKUWlbmzgNfgIh, PE32+ 11->25 dropped 35 Multi AV Scanner detection for dropped file 11->35 37 Machine Learning detection for dropped file 11->37 19 conhost.exe 11->19         started        signatures8 process9
No contacted IP infos