Windows Analysis Report
7.5RabbitFix_V9.exe

Overview

General Information

Sample name:	7.5RabbitFix_V9.exe
Analysis ID:	1431556
MD5:	7ec9e3fc3f9f3cce7c965e09152726a4
SHA1:	f03293a7f7e9a1eb072e689d48c88b5f59858029
SHA256:	5c06818c78b238c60419fae8f263c931f1982ae311a365bc824e0013229ade7b
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

.NET source code contains very large strings

Reads the Security eventlog

Reads the System eventlog

Allocates memory with a write watch (potentially for evading sandboxes)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Uses 32bit PE files

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 7.5RabbitFix_V9.exe

Virustotal: Detection: 7%

Perma Link

Uses 32bit PE files

Source: 7.5RabbitFix_V9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.5RabbitFix_V9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell

System Summary

.NET source code contains very large strings

Source: 7.5RabbitFix_V9.exe, PS2EXE.cs

Long String: Length: 12988

Uses 32bit PE files

Source: 7.5RabbitFix_V9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.5RabbitFix_V9.exe, PS2EXE.cs

Base64 encoded string: 'IyNSYWJiaXRNUSBCYXNlIEZpeCMjDQoNCldyaXRlLUhvc3QgJycNCldyaXRlLUhvc3QgJyhjKTIwMTkgTGVuZWxTMicNCldyaXRlLUhvc3QgJycNCg0KIyNTZXQgVGltZW91dCBWYWx1ZQ0KDQpbaW50XSRUaW1lcj1SZWFkLUhvc3QgIkVudGVyIHRpbWVvdXQgdmFsdWUgaW4gc2Vjb25kcywgcHJlc3MgPEVOVEVSPiBmb3IgZGVmYXVsdCINCmlmKCRUaW1lciAtZXEgJycpDQp7DQogICAgJFRpbWVyPTMwDQp9DQoNCldyaXRlLUhvc3QgJycNCg0KIyM3LjYgQmFja3BvcnQgQ2xlYW51cCBSTVEgc3R1ZmYNCg0KdHJ5DQp7DQogICAgICAgIFdyaXRlLUhvc3QgJ01ha2luZyBzdXJlIFJNUSBiYWNrZ3JvdW5kIHByb2Nlc3NlcyBhcmUgc3RvcHBlZC4uJyAtZm9yZWdyb3VuZGNvbG9yIFllbGxvdyAgDQogICAgICAgIHRhc2traWxsIC9pbSBlcmxzcnYuZXhlIC9mIC90IDI+JjE+JG51bGwNCiAgICAgICAgdGFza2tpbGwgL2ltIGVwbWQuZXhlIC9mIC90IDI+JjE+JG51bGwNCiAgICAgICAgdGFza2tpbGwgL2ltIGVybC5leGUgL2YgL3QgMj4mMT4kbnVsbA0KICAgICAgICB0YXNra2lsbCAvaW0gbmdpbnguZXhlIC8gZiAvdCAyPiYxPiRudWxsDQogICAgICAgIFdyaXRlLUhvc3QgJ0RvbmUuJyAtRm9yZWdyb3VuZENvbG9yIEdyZWVuDQogICAgICAgIFdyaXRlLUhvc3QgJ0NsZWFuaW5nIHVwIHByZXZpb3VzIGluc3RhbGxhdGlvbiBvZiBSTVEuLicgLUZvcmVncm91bmRDb2xvciBZZWxsb3cgIA0KICAgICAgICBXcml0ZS1Ib3N0ICcnDQogICAgICAgIFJlbW92ZS1JdGVtIC1SZWN1cnNlIC1Gb3JjZSAkZW52OnByb2dyYW1kYXRhXGxubFxSYWJiaXRNUQ0KfQ0KY2F0Y2gNCnsNCiAgICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gcmVtb3ZlIGV4aXN0aW5nIFJNUSBkaXJlY3RvcnkuIiAtRm9yZWdyb3VuZENvbG9yIFJlZA0KfQ0KDQojI0NyZWF0ZSBuZXcgZGlyZWN0b3J5IyMNCg0KdHJ5DQp7DQogICAgTmV3LUl0ZW0gLVBhdGggIiRlbnY6cHJvZ3JhbWRhdGFcbG5sXFJhYmJpdE1RIiAtSXRlbVR5cGUgImRpcmVjdG9yeSIgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgIC1FcnJvclZhcmlhYmxlIGRpcmVjdG9yeSANCn0NCg0KY2F0Y2gNCnsNCiAgICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gY3JlYXRlIHJhYmJpdCBiYXNlIGRpcmVjdG9yeSBpbiAkZW52OnByb2dyYW1kYXRhXGxubFxSYWJiaXRNUS4uIg0KfQ0KDQojQmVmb3JlIENvcHlpbmcgYWR2YW5jZWQuY29uZmlnIGZpbGUgY2hlY2sgT0cgaW5zdGFsbGF0aW9uIHBhdGgNCg0KdHJ5DQp7DQogICAgJEluc3RhbGxlZFZlcnNpb249R2V0LUl0ZW1Qcm9wZXJ0eSBSZWdpc3RyeTo6SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXFdPVzY0MzJOb2RlXExlbmVsXE9uR3VhcmQgLU5hbWUgUHJvZHVjdFZlcnNpb24NCiAgICAkVmVyc2lvbj0kSW5zdGFsbGVkVmVyc2lvbi5Qcm9kdWN0VmVyc2lvbg0KICAgICRpbnN0YWxsPUdldC1JdGVtUHJvcGVydHkgUmVnaXN0cnk6OkhLRVlfTE9DQUxfTUFDSElORVxTT0ZUV0FSRVxXT1c2NDMyTm9kZVxMZW5lbFxPbkd1YXJkIC1OYW1lIEluc3RhbGxQYXRoDQogICAgW29iamVjdF0kSW5zdGFsbFBhdGg9JGluc3RhbGwuSW5zdGFsbFBhdGggICAgDQp9DQoNCmNhdGNoDQp7DQogICAgV3JpdGUtSG9zdCAnVW5hYmxlIHRvIGdldCBPbkd1YXJkIHZlcnNpb24nDQogICAgUGF1c2UNCiAgICBFeGl0DQp9DQoNCnRyeQ0Kew0KICAgICRBZGpJbnN0YWxsUGF0aD0kSW5zdGFsbFBhdGguUmVwbGFjZSgnXCcsICdcXCcpDQoJKEdldC1Db250ZW50IGFkdmFuY2VkLmNvbmZpZykucmVwbGFjZSgnQzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXE9uR3VhcmRcXCcsICRBZGpJbnN0YWxsUGF0aCkgfCBTZXQtQ29udGVudCBhZHZhbmNlZC5jb25maWcNCn0NCg0KY2F0Y2gNCnsNCglXcml0ZS1Ib3N0ICdVbmFibGUgdG8gdXBkYXRlIGFkdmFuY2VkLmNvbmZpZyBmaWxlIHBhdGggdG8gY2EuY2VyIHBsZWFzZSBtYW51YWxseSBjaGVjayB0aGlzIGZpbGUgbG9jYXRlZCBpbiAlcHJvZ3JhbWRhdGElXGxubFxSYWJiaXRNUScgICAgDQp9DQoNCg0KIyNDb3B5IGFkdmFuY2VkLmNvbmZpZyAmIHJhYmJpdC5jb25mIHRvIG5ldyBkaXJlY3RvcnkjIw0KDQp0cnkNCnsNCiAgICBDb3B5LUl0ZW0gLlxhZHZhbmNlZC5jb25maWcgLURlc3RpbmF0aW9uICIkZW52OnByb2dyYW1kYXRhXGxubFxSYWJiaXRNUSIgLVJlY3Vyc2UgLUVycm9yQWN0aW9uIENvbnRpbnVlIC1FcnJvclZhcmlhYmxlIGFkdg0KICAgIEN

Source: classification engine

Classification label: mal64.evad.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_03

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sipmqla.3pw.ps1

Source: 7.5RabbitFix_V9.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 7.5RabbitFix_V9.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 7.5RabbitFix_V9.exe

Virustotal: Detection: 7%

Source: unknown	Process created: C:\Users\user\Desktop\7.5RabbitFix_V9.exe "C:\Users\user\Desktop\7.5RabbitFix_V9.exe"
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: msisip.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: wshext.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: appxsip.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: opcservices.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Section loaded: winnsi.dll

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 7.5RabbitFix_V9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 7.5RabbitFix_V9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 7.5RabbitFix_V9.exe, PS2EXEHostUI.cs

.Net Code: Prompt

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Process information set: NOOPENFILEERRORBOX

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Memory allocated: 1390000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Memory allocated: 1B180000 memory reserve \| memory write watch

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe

Window / User API: threadDelayed 458

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe

Process information queried: ProcessInformation

Enables debug privileges

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe

Memory allocated: page read and write | page guard

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Users\user\Desktop\7.5RabbitFix_V9.exe VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\7.5RabbitFix_V9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Screenshots

Network Map

⊘No contacted IP infos

ID:	1431556
Product:	CloudBasic
Start time:	12:36:24
Start date:	25.04.2024
Sample:	7.5RabbitFix_V9.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7ec9e3fc3f9f3cce7c965e09152726a4
SHA1:	f03293a7f7e9a1eb072e689d48c88b5f59858029
SHA256:	5c06818c78b238c60419fae8f263c931f1982ae311a365bc824e0013229ade7b
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report
7.5RabbitFix_V9.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Network Map

Windows Analysis Report 7.5RabbitFix_V9.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Network Map

Windows Analysis Report
7.5RabbitFix_V9.exe