Windows Analysis Report
2k632W2O.exe

Overview

General Information

Sample name:	2k632W2O.exe
Analysis ID:	1432375
MD5:	c86947b39d174d841baff455f5bc4d03
SHA1:	fb8d372a911b26dbf616c4efd1d5f8e408892fcc
SHA256:	351af05dcb67212eef807b66820666970ec6a6ad0607cc110588f341bbb01519
Infos:

Detection

Clipboard Hijacker

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Clipboard Hijacker

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Yara signature match

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2k632W2O.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

Avira: detection malicious, Label: HEUR/AGEN.1313480

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: 2k632W2O.exe

ReversingLabs: Detection: 91%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 2k632W2O.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 2k632W2O.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49719 version: TLS 1.2

Source: 2k632W2O.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGOe2sLEGIjCRQXKD8hfxz0ViO1eijFkmmx_OTjfe4iTZ5wTUpUMhz8i_7ZLVRoSzurhTqh7cwPUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=EPfNuXZZxunDCKtzaK5PA5YL2FhHt0ddP7D7URAgMaMPI9qJ-01Pj449ZfVvqh-5PANFxE8gntsRssIIuSLP7o8IfEfP4pBWKjkrYhuwoNDQwfYxFJ4bw8BAhb9yJFQFJXdDkmbkOu3k_gP9PdrTXnGRBpIpwnOFqobfvnLxRQ0
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGOe2sLEGIjBr0MdO0BYOJHvE4c3r_MeYQPdjstJTWuR7MYyn8Z4PVcXCDLAhkZk0gANbn-kD57oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=EPfNuXZZxunDCKtzaK5PA5YL2FhHt0ddP7D7URAgMaMPI9qJ-01Pj449ZfVvqh-5PANFxE8gntsRssIIuSLP7o8IfEfP4pBWKjkrYhuwoNDQwfYxFJ4bw8BAhb9yJFQFJXdDkmbkOu3k_gP9PdrTXnGRBpIpwnOFqobfvnLxRQ0
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2FRsBOyrzU3y1Y1&MD=Eun64ssZ HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2FRsBOyrzU3y1Y1&MD=Eun64ssZ HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49719 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.PerfWatson2.exe.650000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0.2.2k632W2O.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000005.00000002.3665226219.0000000000651000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000000.00000002.1232588140.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown

PE file contains section with special chars

Source: 2k632W2O.exe	Static PE information: section name: ."V/
Source: PerfWatson2.exe.0.dr	Static PE information: section name: ."V/

Sample file is different than original file name gathered from version info

Source: 2k632W2O.exe, 00000000.00000002.1233255330.0000000000FEF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePerfWatson2.exeT vs 2k632W2O.exe
Source: 2k632W2O.exe	Binary or memory string: OriginalFilenamePerfWatson2.exeT vs 2k632W2O.exe

Uses 32bit PE files

Source: 2k632W2O.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.PerfWatson2.exe.650000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0.2.2k632W2O.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000005.00000002.3665226219.0000000000651000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000000.00000002.1232588140.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@29/5@2/4

Source: C:\Users\user\Desktop\2k632W2O.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Mutant created: \Sessions\1\BaseNamedObjects\3113225624820686
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_03

Source: C:\Users\user\Desktop\2k632W2O.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2k632W2O.exe

ReversingLabs: Detection: 91%

Source: C:\Users\user\Desktop\2k632W2O.exe

File read: C:\Users\user\Desktop\2k632W2O.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2k632W2O.exe "C:\Users\user\Desktop\2k632W2O.exe"
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2320,i,9069043476438568243,10755491246426050170,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2320,i,9069043476438568243,10755491246426050170,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\2k632W2O.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: 2k632W2O.exe

Static file information: File size 6861312 > 1048576

Source: 2k632W2O.exe

Static PE information: Raw size of .VGF is bigger than: 0x100000 < 0x689e00

Source: 2k632W2O.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .VGF

PE file contains sections with non-standard names

Source: 2k632W2O.exe	Static PE information: section name: .WVa
Source: 2k632W2O.exe	Static PE information: section name: ."V/
Source: 2k632W2O.exe	Static PE information: section name: .VGF
Source: PerfWatson2.exe.0.dr	Static PE information: section name: .WVa
Source: PerfWatson2.exe.0.dr	Static PE information: section name: ."V/
Source: PerfWatson2.exe.0.dr	Static PE information: section name: .VGF

Drops PE files

Source: C:\Users\user\Desktop\2k632W2O.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\2k632W2O.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\2k632W2O.exe	Memory written: PID: 7092 base: 1580005 value: E9 8B 2F 1E 76	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Memory written: PID: 7092 base: 77762F90 value: E9 7A D0 E1 89	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Memory written: PID: 7092 base: 1590007 value: E9 EB DF 20 76	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Memory written: PID: 7092 base: 7779DFF0 value: E9 1E 20 DF 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 2440 base: 11D0005 value: E9 8B 2F 59 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 2440 base: 77762F90 value: E9 7A D0 A6 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 2440 base: 11E0007 value: E9 EB DF 5B 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 2440 base: 7779DFF0 value: E9 1E 20 A4 89	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\2k632W2O.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 2k632W2O.exe, 00000000.00000002.1233362169.000000000165E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL?V

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\2k632W2O.exe	RDTSC instruction interceptor: First address: 7550FE second address: 755C22 instructions: 0x00000000 rdtsc 0x00000002 cmp cx, ax 0x00000005 cmc 0x00000006 sub ebp, 00000008h 0x0000000c jmp 00007FB084E2BF7Bh 0x00000011 mov dword ptr [ebp+00h], edx 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 rol dl, 00000074h 0x0000001b mov edx, dword ptr [edi] 0x0000001d test edi, 2BEE051Bh 0x00000023 clc 0x00000024 lea edi, dword ptr [edi+00000004h] 0x0000002a test di, cx 0x0000002d test di, 6F02h 0x00000032 xor edx, ebx 0x00000034 stc 0x00000035 xor edx, 59512E5Eh 0x0000003b bswap edx 0x0000003d cmc 0x0000003e rol edx, 03h 0x00000041 sub edx, 20631BC0h 0x00000047 xor ebx, edx 0x00000049 add esi, edx 0x0000004b jmp 00007FB084A14BD4h 0x00000050 jmp 00007FB084CD4BB6h 0x00000055 lea ecx, dword ptr [esp+60h] 0x00000059 cmp ebp, ecx 0x0000005b jmp 00007FB084BB6B64h 0x00000060 ja 00007FB084F68E25h 0x00000066 jmp esi 0x00000068 mov ecx, dword ptr [ebp+00h] 0x0000006c rdtsc
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	RDTSC instruction interceptor: First address: 7E50FE second address: 7E5C22 instructions: 0x00000000 rdtsc 0x00000002 cmp cx, ax 0x00000005 cmc 0x00000006 sub ebp, 00000008h 0x0000000c jmp 00007FB0849E30EBh 0x00000011 mov dword ptr [ebp+00h], edx 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 rol dl, 00000074h 0x0000001b mov edx, dword ptr [edi] 0x0000001d test edi, 2BEE051Bh 0x00000023 clc 0x00000024 lea edi, dword ptr [edi+00000004h] 0x0000002a test di, cx 0x0000002d test di, 6F02h 0x00000032 xor edx, ebx 0x00000034 stc 0x00000035 xor edx, 59512E5Eh 0x0000003b bswap edx 0x0000003d cmc 0x0000003e rol edx, 03h 0x00000041 sub edx, 20631BC0h 0x00000047 xor ebx, edx 0x00000049 add esi, edx 0x0000004b jmp 00007FB0845CBD44h 0x00000050 jmp 00007FB08488BD26h 0x00000055 lea ecx, dword ptr [esp+60h] 0x00000059 cmp ebp, ecx 0x0000005b jmp 00007FB08476DCD4h 0x00000060 ja 00007FB084B1FF95h 0x00000066 jmp esi 0x00000068 mov ecx, dword ptr [ebp+00h] 0x0000006c rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\2k632W2O.exe	Special instruction interceptor: First address: F2F857 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\2k632W2O.exe	Special instruction interceptor: First address: EA78A2 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Special instruction interceptor: First address: FBF857 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Special instruction interceptor: First address: F378A2 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Window / User API: threadDelayed 1190			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Window / User API: threadDelayed 8805			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696	Thread sleep count: 1190 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696	Thread sleep time: -267750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696	Thread sleep count: 8805 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696	Thread sleep time: -1981125s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\2k632W2O.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\2k632W2O.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\2k632W2O.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Source: C:\Users\user\Desktop\2k632W2O.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\2k632W2O.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugPort	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\2k632W2O.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.2.PerfWatson2.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2k632W2O.exe.5c0000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
142.250.189.132	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.7
192.168.2.5

Contacted Domains

Name	IP	Active
www.google.com	142.250.189.132	true

Contacted URLs

Name	Malicious	Reputation
https://www.google.com/async/ddljson?async=ntp:2	false	high
https://www.google.com/async/newtab_promos	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGOe2sLEGIjBr0MdO0BYOJHvE4c3r_MeYQPdjstJTWuR7MYyn8Z4PVcXCDLAhkZk0gANbn-kD57oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGOe2sLEGIjCRQXKD8hfxz0ViO1eijFkmmx_OTjfe4iTZ5wTUpUMhz8i_7ZLVRoSzurhTqh7cwPUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2k632W2O.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

Avira: detection malicious, Label: HEUR/AGEN.1313480

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: 2k632W2O.exe

ReversingLabs: Detection: 91%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 2k632W2O.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 2k632W2O.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49719 version: TLS 1.2

Source: 2k632W2O.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 23.46.214.6
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGOe2sLEGIjCRQXKD8hfxz0ViO1eijFkmmx_OTjfe4iTZ5wTUpUMhz8i_7ZLVRoSzurhTqh7cwPUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=EPfNuXZZxunDCKtzaK5PA5YL2FhHt0ddP7D7URAgMaMPI9qJ-01Pj449ZfVvqh-5PANFxE8gntsRssIIuSLP7o8IfEfP4pBWKjkrYhuwoNDQwfYxFJ4bw8BAhb9yJFQFJXdDkmbkOu3k_gP9PdrTXnGRBpIpwnOFqobfvnLxRQ0
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGOe2sLEGIjBr0MdO0BYOJHvE4c3r_MeYQPdjstJTWuR7MYyn8Z4PVcXCDLAhkZk0gANbn-kD57oyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=EPfNuXZZxunDCKtzaK5PA5YL2FhHt0ddP7D7URAgMaMPI9qJ-01Pj449ZfVvqh-5PANFxE8gntsRssIIuSLP7o8IfEfP4pBWKjkrYhuwoNDQwfYxFJ4bw8BAhb9yJFQFJXdDkmbkOu3k_gP9PdrTXnGRBpIpwnOFqobfvnLxRQ0
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2FRsBOyrzU3y1Y1&MD=Eun64ssZ HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2FRsBOyrzU3y1Y1&MD=Eun64ssZ HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49719 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.PerfWatson2.exe.650000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0.2.2k632W2O.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000005.00000002.3665226219.0000000000651000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000000.00000002.1232588140.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown

PE file contains section with special chars

Source: 2k632W2O.exe	Static PE information: section name: ."V/
Source: PerfWatson2.exe.0.dr	Static PE information: section name: ."V/

Sample file is different than original file name gathered from version info

Source: 2k632W2O.exe, 00000000.00000002.1233255330.0000000000FEF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePerfWatson2.exeT vs 2k632W2O.exe
Source: 2k632W2O.exe	Binary or memory string: OriginalFilenamePerfWatson2.exeT vs 2k632W2O.exe

Uses 32bit PE files

Source: 2k632W2O.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 5.2.PerfWatson2.exe.650000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0.2.2k632W2O.exe.5c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000005.00000002.3665226219.0000000000651000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000000.00000002.1232588140.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@29/5@2/4

Source: C:\Users\user\Desktop\2k632W2O.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Mutant created: \Sessions\1\BaseNamedObjects\3113225624820686
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_03

Source: C:\Users\user\Desktop\2k632W2O.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2k632W2O.exe

ReversingLabs: Detection: 91%

Source: C:\Users\user\Desktop\2k632W2O.exe

File read: C:\Users\user\Desktop\2k632W2O.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2k632W2O.exe "C:\Users\user\Desktop\2k632W2O.exe"
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2320,i,9069043476438568243,10755491246426050170,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /XML "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=2320,i,9069043476438568243,10755491246426050170,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\2k632W2O.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: 2k632W2O.exe

Static file information: File size 6861312 > 1048576

Source: 2k632W2O.exe

Static PE information: Raw size of .VGF is bigger than: 0x100000 < 0x689e00

Source: 2k632W2O.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .VGF

PE file contains sections with non-standard names

Source: 2k632W2O.exe	Static PE information: section name: .WVa
Source: 2k632W2O.exe	Static PE information: section name: ."V/
Source: 2k632W2O.exe	Static PE information: section name: .VGF
Source: PerfWatson2.exe.0.dr	Static PE information: section name: .WVa
Source: PerfWatson2.exe.0.dr	Static PE information: section name: ."V/
Source: PerfWatson2.exe.0.dr	Static PE information: section name: .VGF

Drops PE files

Source: C:\Users\user\Desktop\2k632W2O.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\2k632W2O.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 5 /tn "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}" /tr "C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe"

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\2k632W2O.exe	Memory written: PID: 7092 base: 1580005 value: E9 8B 2F 1E 76	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Memory written: PID: 7092 base: 77762F90 value: E9 7A D0 E1 89	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Memory written: PID: 7092 base: 1590007 value: E9 EB DF 20 76	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Memory written: PID: 7092 base: 7779DFF0 value: E9 1E 20 DF 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 2440 base: 11D0005 value: E9 8B 2F 59 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 2440 base: 77762F90 value: E9 7A D0 A6 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 2440 base: 11E0007 value: E9 EB DF 5B 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Memory written: PID: 2440 base: 7779DFF0 value: E9 1E 20 A4 89	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\2k632W2O.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 2k632W2O.exe, 00000000.00000002.1233362169.000000000165E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL?V

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\2k632W2O.exe	RDTSC instruction interceptor: First address: 7550FE second address: 755C22 instructions: 0x00000000 rdtsc 0x00000002 cmp cx, ax 0x00000005 cmc 0x00000006 sub ebp, 00000008h 0x0000000c jmp 00007FB084E2BF7Bh 0x00000011 mov dword ptr [ebp+00h], edx 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 rol dl, 00000074h 0x0000001b mov edx, dword ptr [edi] 0x0000001d test edi, 2BEE051Bh 0x00000023 clc 0x00000024 lea edi, dword ptr [edi+00000004h] 0x0000002a test di, cx 0x0000002d test di, 6F02h 0x00000032 xor edx, ebx 0x00000034 stc 0x00000035 xor edx, 59512E5Eh 0x0000003b bswap edx 0x0000003d cmc 0x0000003e rol edx, 03h 0x00000041 sub edx, 20631BC0h 0x00000047 xor ebx, edx 0x00000049 add esi, edx 0x0000004b jmp 00007FB084A14BD4h 0x00000050 jmp 00007FB084CD4BB6h 0x00000055 lea ecx, dword ptr [esp+60h] 0x00000059 cmp ebp, ecx 0x0000005b jmp 00007FB084BB6B64h 0x00000060 ja 00007FB084F68E25h 0x00000066 jmp esi 0x00000068 mov ecx, dword ptr [ebp+00h] 0x0000006c rdtsc
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	RDTSC instruction interceptor: First address: 7E50FE second address: 7E5C22 instructions: 0x00000000 rdtsc 0x00000002 cmp cx, ax 0x00000005 cmc 0x00000006 sub ebp, 00000008h 0x0000000c jmp 00007FB0849E30EBh 0x00000011 mov dword ptr [ebp+00h], edx 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 rol dl, 00000074h 0x0000001b mov edx, dword ptr [edi] 0x0000001d test edi, 2BEE051Bh 0x00000023 clc 0x00000024 lea edi, dword ptr [edi+00000004h] 0x0000002a test di, cx 0x0000002d test di, 6F02h 0x00000032 xor edx, ebx 0x00000034 stc 0x00000035 xor edx, 59512E5Eh 0x0000003b bswap edx 0x0000003d cmc 0x0000003e rol edx, 03h 0x00000041 sub edx, 20631BC0h 0x00000047 xor ebx, edx 0x00000049 add esi, edx 0x0000004b jmp 00007FB0845CBD44h 0x00000050 jmp 00007FB08488BD26h 0x00000055 lea ecx, dword ptr [esp+60h] 0x00000059 cmp ebp, ecx 0x0000005b jmp 00007FB08476DCD4h 0x00000060 ja 00007FB084B1FF95h 0x00000066 jmp esi 0x00000068 mov ecx, dword ptr [ebp+00h] 0x0000006c rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\2k632W2O.exe	Special instruction interceptor: First address: F2F857 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\2k632W2O.exe	Special instruction interceptor: First address: EA78A2 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Special instruction interceptor: First address: FBF857 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Special instruction interceptor: First address: F378A2 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Window / User API: threadDelayed 1190			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Window / User API: threadDelayed 8805			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696	Thread sleep count: 1190 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696	Thread sleep time: -267750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696	Thread sleep count: 8805 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe TID: 2696	Thread sleep time: -1981125s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\2k632W2O.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\2k632W2O.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\2k632W2O.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Source: C:\Users\user\Desktop\2k632W2O.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\2k632W2O.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\2k632W2O.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	Process queried: DebugPort	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\2k632W2O.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /Query /XML /TN "PerformanceMonitor_{Y6F7A6L1Q3V2W4S7}"

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.2.PerfWatson2.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2k632W2O.exe.5c0000.0.unpack, type: UNPACKEDPE

ID:	1432375
Product:	CloudBasic
Start time:	23:22:55
Start date:	26.04.2024
Sample:	2k632W2O.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c86947b39d174d841baff455f5bc4d03
SHA1:	fb8d372a911b26dbf616c4efd1d5f8e408892fcc
SHA256:	351af05dcb67212eef807b66820666970ec6a6ad0607cc110588f341bbb01519
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\PerfMon\1201824912038.xml	XML 1.0 document, ASCII text, with CRLF, CR line terminators	EA6372F28812748A15C8BCC1080931B0	8D37A0E903FA881E7ACC532FD5998C643D2E077F	5C271797F55DB2BA2AF4813384337A4E4645241EB1C4E25AA0ECB5CE09A10641
C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C86947B39D174D841BAFF455F5BC4D03	FB8D372A911B26DBF616C4EFD1D5F8E408892FCC	351AF05DCB67212EEF807B66820666970EC6A6AD0607CC110588F341BBB01519
C:\Users\user\AppData\Roaming\Microsoft\PerfMon\PerfWatson2.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
Chrome Cache Entry: 50	ASCII text, with very long lines (3774)	0EB9CFB6DA022BE16846289A05AEA770	924B136A970E1607A3C817E6C81E70E98693336E	D6B8EB51B8389F56A593BFE40FC6D3B7A702955DE027DBE09BF942A27D65276F

Windows Analysis Report
2k632W2O.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report 2k632W2O.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
2k632W2O.exe