Windows Analysis Report
vm-uw.exe

Overview

General Information

Sample name: vm-uw.exe
Analysis ID: 1455404
MD5: 78c6129bfd81f88cfb7171caf2d386a1
SHA1: f626224572dea0bc2983e3b3986bd1c1af5533ce
SHA256: aa1ad7c508d497292d1e017b946cc381be204bd641543bcf584da286eb6f685f
Tags: exetrojan
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Potentially malicious time measurement code found
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Modifies existing windows services
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Process Start Locations
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: vm-uw.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: vm-uw.exe ReversingLabs: Detection: 71%
Uses 32bit PE files
Source: vm-uw.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: vm-uw.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: srvany.pdb source: vm-uw.exe, 00000000.00000003.2113641386.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, vm-uw.exe, 00000000.00000003.2113871549.00000000029F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000012.00000002.2217182264.0000000001001000.00000020.00000001.01000000.00000007.sdmp, svchost.exe, 00000012.00000000.2216197964.0000000001001000.00000020.00000001.01000000.00000007.sdmp, svchost.exe.0.dr
Source: Binary string: srvany.pdbl"U source: vm-uw.exe, 00000000.00000003.2113641386.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, vm-uw.exe, 00000000.00000003.2113871549.00000000029F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2217182264.0000000001001000.00000020.00000001.01000000.00000007.sdmp, svchost.exe, 00000012.00000000.2216197964.0000000001001000.00000020.00000001.01000000.00000007.sdmp, svchost.exe.0.dr
Source: Binary string: H:\Work\haozip\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: vm-uw.exe
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_00224F98 FindFirstFileExW, 0_2_00224F98

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: vm-uw.exe String found in binary or memory: https://haozip.2345.cc/
Contains functionality to delete services
Source: C:\Windows\Fonts\systkm32\csrss.exe Code function: 9_2_00401070 OpenServiceA,GetLastError,DeleteService,GetLastError, 9_2_00401070
Creates files inside the system directory
Source: C:\Users\user\Desktop\vm-uw.exe File created: C:\Windows\Fonts\systkm32\ Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe File created: C:\Windows\Fonts\systkm32\vv.bat Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe File created: C:\Windows\Fonts\systkm32\csrss.exe Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe File created: C:\Windows\Fonts\systkm32\svchost.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\Fonts\systkm32\1.ini Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0020F8DE 0_2_0020F8DE
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001F7C90 0_2_001F7C90
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E1000 0_2_001E1000
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_002130A0 0_2_002130A0
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001FA160 0_2_001FA160
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0022720E 0_2_0022720E
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_00205306 0_2_00205306
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_002175E5 0_2_002175E5
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001EC600 0_2_001EC600
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0022C6B9 0_2_0022C6B9
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0022B6BC 0_2_0022B6BC
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001EE680 0_2_001EE680
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001F68C0 0_2_001F68C0
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_00215958 0_2_00215958
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_002189EC 0_2_002189EC
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_00217ADE 0_2_00217ADE
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E3B7E 0_2_001E3B7E
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0022DB44 0_2_0022DB44
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_00218BEC 0_2_00218BEC
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0022DBFE 0_2_0022DBFE
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0020DC0C 0_2_0020DC0C
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001F2C50 0_2_001F2C50
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_00217C58 0_2_00217C58
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0021FC5D 0_2_0021FC5D
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0022DD1B 0_2_0022DD1B
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_00226D60 0_2_00226D60
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001F3D50 0_2_001F3D50
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_00218D8D 0_2_00218D8D
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001F8F60 0_2_001F8F60
Source: C:\Windows\Fonts\systkm32\svchost.exe Code function: 18_2_01001493 18_2_01001493
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Windows\Fonts\systkm32\csrss.exe BBF4C224F9861B2C1F5A1364EE71E38728495B2709621763053B979BA88522F1
PE file contains executable resources (Code or Archives)
Source: vm-uw.exe Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: vm-uw.exe Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Uses 32bit PE files
Source: vm-uw.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v Description /d "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play." /t reg_sz /f
Source: classification engine Classification label: mal96.troj.evad.winEXE@38/6@0/1
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001F3F50 FormatMessageW,_wcslen,_wcslen,LocalFree,GetLastError, 0_2_001F3F50
Source: C:\Windows\Fonts\systkm32\csrss.exe Code function: CreateServiceA,GetLastError,CloseServiceHandle, 9_2_00401000
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E2777 _wcslen,CoCreateInstance,CoCreateInstance, 0_2_001E2777
Source: C:\Windows\Fonts\systkm32\svchost.exe Code function: 18_2_01001D2C StartServiceCtrlDispatcherA,GetLastError,ExitProcess, 18_2_01001D2C
Source: C:\Windows\Fonts\systkm32\svchost.exe Code function: 18_2_01001D2C StartServiceCtrlDispatcherA,GetLastError,ExitProcess, 18_2_01001D2C
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:120:WilError_03
Source: C:\Users\user\Desktop\vm-uw.exe File created: C:\Users\user\AppData\Local\Temp\HZ~F6EC.tmp Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systkm32\vv.bat" "
Source: vm-uw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\vm-uw.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: vm-uw.exe ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\vm-uw.exe File read: C:\Users\user\Desktop\vm-uw.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\vm-uw.exe "C:\Users\user\Desktop\vm-uw.exe"
Source: C:\Users\user\Desktop\vm-uw.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systkm32\vv.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vm-uw.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\HZ~F6EC.tmp.bat"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com mode con: cols=16 lines=2
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Fonts\systkm32\csrss.exe C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v Description /d "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play." /t reg_sz /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v DisplayName /d "Windows Media Player Network Sharing Service." /t reg_sz /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v AppDirectory /d "C:\Windows\Fonts\systkm32" /t reg_sz /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start WMPNetworkSxc
Source: unknown Process created: C:\Windows\Fonts\systkm32\svchost.exe C:\Windows\Fonts\systkm32\svchost.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regini.exe regini 1.ini
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\vm-uw.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systkm32\vv.bat" " Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\HZ~F6EC.tmp.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com mode con: cols=16 lines=2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Fonts\systkm32\csrss.exe C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v Description /d "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play." /t reg_sz /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v DisplayName /d "Windows Media Player Network Sharing Service." /t reg_sz /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v AppDirectory /d "C:\Windows\Fonts\systkm32" /t reg_sz /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start WMPNetworkSxc Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regini.exe regini 1.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2 Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\mode.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\mode.com Section loaded: ureg.dll Jump to behavior
Source: C:\Windows\SysWOW64\mode.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Fonts\systkm32\csrss.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Fonts\systkm32\svchost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File written: C:\Windows\Fonts\systkm32\1.ini Jump to behavior
Source: vm-uw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: vm-uw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: vm-uw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: vm-uw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: vm-uw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: vm-uw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: vm-uw.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: vm-uw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: srvany.pdb source: vm-uw.exe, 00000000.00000003.2113641386.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, vm-uw.exe, 00000000.00000003.2113871549.00000000029F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000012.00000002.2217182264.0000000001001000.00000020.00000001.01000000.00000007.sdmp, svchost.exe, 00000012.00000000.2216197964.0000000001001000.00000020.00000001.01000000.00000007.sdmp, svchost.exe.0.dr
Source: Binary string: srvany.pdbl"U source: vm-uw.exe, 00000000.00000003.2113641386.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, vm-uw.exe, 00000000.00000003.2113871549.00000000029F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2217182264.0000000001001000.00000020.00000001.01000000.00000007.sdmp, svchost.exe, 00000012.00000000.2216197964.0000000001001000.00000020.00000001.01000000.00000007.sdmp, svchost.exe.0.dr
Source: Binary string: H:\Work\haozip\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: vm-uw.exe
Source: vm-uw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: vm-uw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: vm-uw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: vm-uw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: vm-uw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E51C0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_001E51C0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0021BDB6 push ecx; ret 0_2_0021BDC9
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0022BE63 push ecx; ret 0_2_0022BE76
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0022BE89 push ecx; ret 0_2_0022BE76
Source: C:\Windows\Fonts\systkm32\svchost.exe Code function: 18_2_010021E0 push eax; ret 18_2_010021F4
Source: C:\Windows\Fonts\systkm32\svchost.exe Code function: 18_2_010021E0 push eax; ret 18_2_0100221C
Source: C:\Windows\Fonts\systkm32\svchost.exe Code function: 18_2_0100225B push ecx; ret 18_2_0100226B

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\vm-uw.exe File created: C:\Windows\Fonts\systkm32\csrss.exe Jump to dropped file
Source: C:\Users\user\Desktop\vm-uw.exe File created: C:\Windows\Fonts\systkm32\svchost.exe Jump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\SysWOW64\cmd.exe Executable created and started: C:\Windows\Fonts\systkm32\csrss.exe Jump to behavior
Source: unknown Executable created and started: C:\Windows\Fonts\systkm32\svchost.exe
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\vm-uw.exe File created: C:\Windows\Fonts\systkm32\csrss.exe Jump to dropped file
Source: C:\Users\user\Desktop\vm-uw.exe File created: C:\Windows\Fonts\systkm32\svchost.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\vm-uw.exe File created: C:\Windows\Fonts\systkm32\csrss.exe Jump to dropped file
Source: C:\Users\user\Desktop\vm-uw.exe File created: C:\Windows\Fonts\systkm32\svchost.exe Jump to dropped file
Creates or modifies windows services
Source: C:\Windows\SysWOW64\reg.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc Jump to behavior
Modifies existing windows services
Source: C:\Windows\SysWOW64\reg.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMPNetworkSxc Jump to behavior
Source: C:\Windows\Fonts\systkm32\svchost.exe Code function: 18_2_01001D2C StartServiceCtrlDispatcherA,GetLastError,ExitProcess, 18_2_01001D2C
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start WMPNetworkSxc
Source: C:\Users\user\Desktop\vm-uw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2 Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E18A0 rdtsc 0_2_001E18A0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_00224F98 FindFirstFileExW, 0_2_00224F98
Source: reg.exe, 0000000F.00000002.2184764355.0000000002890000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\Fonts\systkm32\C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /freg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /fWinsta0\Default=::=::\=C:=C:\Windows\Fonts\systkm32=ExitCode=00000000ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsH
Source: reg.exe, 0000000F.00000002.2184824190.0000000002A00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\Fonts\systkm32\C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /freg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /fWinsta0\Defaulta$Z
Source: reg.exe, 0000000F.00000002.2184878475.0000000002D50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regaddHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters/vApplication/dC:\ProgramFiles(x86)\VMware\VMwareWorkstation\vmware.exe -x C:\Windows\Logs\ubu\3333.vmx/treg_sz/fOneDri
Source: reg.exe, 0000000F.00000002.2184764355.0000000002890000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /f
Source: vv.bat.0.dr Binary or memory string: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /f

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E1A90 0_2_001E1A90
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E1B00 0_2_001E1B00
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E18A0 rdtsc 0_2_001E18A0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0021BB7B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0021BB7B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E51C0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_001E51C0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_002217B3 mov eax, dword ptr fs:[00000030h] 0_2_002217B3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_00225C60 GetProcessHeap, 0_2_00225C60
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0021BB7B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0021BB7B
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0021BD0E SetUnhandledExceptionFilter, 0_2_0021BD0E
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0021AFAC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0021AFAC
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0021EF9A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0021EF9A
Source: C:\Windows\Fonts\systkm32\svchost.exe Code function: 18_2_0100229A SetUnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_0100229A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\vm-uw.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systkm32\vv.bat" " Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\HZ~F6EC.tmp.bat" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\mode.com mode con: cols=16 lines=2 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Fonts\systkm32\csrss.exe C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v Description /d "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play." /t reg_sz /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v DisplayName /d "Windows Media Player Network Sharing Service." /t reg_sz /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v AppDirectory /d "C:\Windows\Fonts\systkm32" /t reg_sz /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start WMPNetworkSxc Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regini.exe regini 1.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E16C0 cpuid 0_2_001E16C0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_0022450B GetSystemTimeAsFileTime, 0_2_0022450B
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_002189EC GetVersionExW, 0_2_002189EC
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E1CE0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,InitializeCriticalSection, 0_2_001E1CE0
Source: C:\Users\user\Desktop\vm-uw.exe Code function: 0_2_001E1D80 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_001E1D80
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1455404 Sample: vm-uw.exe Startdate: 11/06/2024 Architecture: WINDOWS Score: 96 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Drops executables to the windows directory (C:\Windows) and starts them 2->45 47 4 other signatures 2->47 7 vm-uw.exe 6 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 2->13         started        process3 file4 33 C:\Windows\Fonts\systkm32\csrss.exe, PE32 7->33 dropped 35 C:\Windows\Fonts\systkm32\vv.bat, ASCII 7->35 dropped 37 C:\Windows\Fonts\systkm32\svchost.exe, PE32 7->37 dropped 49 Drops PE files with benign system names 7->49 51 Potentially malicious time measurement code found 7->51 15 cmd.exe 2 7->15         started        18 cmd.exe 1 7->18         started        signatures5 process6 signatures7 53 Uses ping.exe to sleep 15->53 55 Uses cmd line tools excessively to alter registry or file data 15->55 57 Drops executables to the windows directory (C:\Windows) and starts them 15->57 59 Uses ping.exe to check the status of other devices and networks 15->59 20 PING.EXE 1 15->20         started        23 conhost.exe 15->23         started        25 regini.exe 1 15->25         started        31 11 other processes 15->31 27 conhost.exe 18->27         started        29 PING.EXE 1 18->29         started        process8 dnsIp9 39 127.0.0.1 unknown unknown 20->39
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
127.0.0.1