ywXeiXEvP2.exe
|
PE32+ executable (GUI) x86-64, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32+ executable (GUI) x86-64, for MS Windows
|
Entropy: |
7.958753575220955
|
Filename: |
ywXeiXEvP2.exe
|
Filesize: |
3817238
|
MD5: |
a8a4603bc85e306e0fdd17655e4820e4
|
SHA1: |
5aa5d092a699c319c4d000f61eb526445b11662d
|
SHA256: |
4b7b7e697954f5882dd6d3e8ee6197bab6c445dbd3a5af1118caa0e1ad908a9a
|
SHA512: |
2b3b66aaecedd0669caadd835a02b22856e03e713657aa3fc597a9431e29cc3ec570881d4fdea23218a329ab537f1c181fc9fa3e11282e123bababe2f5596474
|
SSDEEP: |
49152:fEuq6liv5bT20EgaBojf0nMyPbCqbfgIpoXW85SAmCgVibEuYUZzMA/y8N7RDnwG:fFqpbSdgaqADhpoXB5lbkHoNM9ZFv8
|
Preview: |
MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........B#..,p..,p..,p.:.p..,p.:.p5.,p.:.p..,p<..p..,p<.(q..,p<./q..,p<.)q..,p...p..,p...p..,p...p..,p..-p..,p2.)q..,p2.,q..,p2..p..,
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Multi AV Scanner detection for submitted file |
AV Detection |
|
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Anti Debugging |
Security Software Discovery
|
Contains functionality to launch a program with higher privileges |
HIPS / PFW / Operating System Protection Evasion |
Exploitation for Privilege Escalation
|
Contains functionality to query CPU information (cpuid) |
Language, Device and Operating System Detection |
|
Contains functionality to query locales information (e.g. system language) |
Language, Device and Operating System Detection |
System Information Discovery
|
Contains functionality which may be used to detect a debugger (GetProcessHeap) |
Anti Debugging |
Security Software Discovery
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Detected potential crypto function |
System Summary |
|
File is packed with WinRar |
Data Obfuscation |
Security Software Discovery
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Sample file is different than original file name gathered from version info |
System Summary |
Security Software Discovery
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
|
Contains functionality for error logging |
System Summary |
|
Contains functionality to enumerate / list files inside a directory |
Spreading, Malware Analysis System Evasion |
|
Contains functionality to load and extract PE file embedded resources |
System Summary |
|
Contains functionality to query local / system time |
Language, Device and Operating System Detection |
|
Contains functionality to query system information |
Malware Analysis System Evasion |
|
Contains functionality to query windows version |
Language, Device and Operating System Detection |
|
Contains functionality to register its own exception handler |
Anti Debugging |
Security Software Discovery
|
Creates temporary files |
System Summary |
Security Software Discovery
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Reads ini files |
System Summary |
File and Directory Discovery
|
Reads software policies |
System Summary |
|
Sample is known by Antivirus |
System Summary |
|
Sample reads its own file content |
System Summary |
Security Software Discovery
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a valid data directory to section mapping |
System Summary |
Security Software Discovery
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
Security Software Discovery
|
PE file contains a mix of data directories often seen in goodware |
System Summary |
|
PE file has a high image base, often used for DLLs |
System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
|
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\RuntimeBroker.exe
|
Category: |
dropped
|
Dump: |
RuntimeBroker.exe.8.dr
|
ID: |
dr_11
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Program Files (x86)\jDownloader\config\conhost.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\jDownloader\config\conhost.exe
|
Category: |
dropped
|
Dump: |
conhost.exe.8.dr
|
ID: |
dr_19
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Sigma detected: System File Execution Location Anomaly |
System Summary |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Program Files\Uninstall Information\OfficeClickToRun.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Uninstall Information\OfficeClickToRun.exe
|
Category: |
dropped
|
Dump: |
OfficeClickToRun.exe.8.dr
|
ID: |
dr_33
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
Category: |
dropped
|
Dump: |
FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe.8.dr
|
ID: |
dr_9
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
Drops PE files |
Persistence and Installation Behavior |
|
Sigma detected: CurrentVersion Autorun Keys Modification |
System Summary |
|
Sigma detected: CurrentVersion NT Autorun Keys Modification |
System Summary |
|
Sigma detected: Suspicious Add Scheduled Task Parent |
System Summary |
|
Creates files inside the program directory |
System Summary |
|
Spawns processes |
System Summary |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Windows Multimedia Platform\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
Category: |
dropped
|
Dump: |
FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe1.8.dr
|
ID: |
dr_15
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Spawns processes |
System Summary |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Windows Photo Viewer\en-GB\RuntimeBroker.exe
|
Category: |
dropped
|
Dump: |
RuntimeBroker.exe0.8.dr
|
ID: |
dr_31
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Windows Photo Viewer\en-GB\UserOOBEBroker.exe
|
Category: |
dropped
|
Dump: |
UserOOBEBroker.exe.8.dr
|
ID: |
dr_25
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\Templates\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
Category: |
dropped
|
Dump: |
FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe2.8.dr
|
ID: |
dr_21
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Recovery\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
Category: |
dropped
|
Dump: |
FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe0.8.dr
|
ID: |
dr_13
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Spawns processes |
System Summary |
|
|
C:\Recovery\XClient.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Recovery\XClient.exe
|
Category: |
dropped
|
Dump: |
XClient.exe.8.dr
|
ID: |
dr_35
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
|
Category: |
dropped
|
Dump: |
DCRatBuild.exe.1.dr
|
ID: |
dr_1
|
Target ID: |
1
|
Process: |
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.7455500264939205
|
Encrypted: |
false
|
Ssdeep: |
49152:tbA3wvcdwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9iD:tbOXZHEwTUzcvtpzh2xKbepZrs
|
Size: |
3880844
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Sigma detected: WScript or CScript Dropper |
System Summary |
|
Contains functionality to communicate with device drivers |
System Summary |
|
Contains functionality to read the PEB |
Anti Debugging |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found potential string decryption / allocating functions |
System Summary |
Obfuscated Files or Information
Deobfuscate/Decode Files or Information
|
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript |
System Summary |
|
Uses code obfuscation techniques (call, push, ret) |
Data Obfuscation |
Obfuscated Files or Information
|
Creates files inside the user directory |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Executes visual basic scripts |
System Summary |
|
Might use command line arguments |
System Summary |
Command and Scripting Interpreter
|
Program exit points |
Malware Analysis System Evasion |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe
|
Category: |
dropped
|
Dump: |
Result.exe.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\ywXeiXEvP2.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.727131196942866
|
Encrypted: |
false
|
Ssdeep: |
49152:bSbA3wvcdwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9Q:+bOXZHEwTUzcvtpzh2xKbepZro
|
Size: |
4012544
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Yara detected XWorm |
Stealing of Sensitive Information, Remote Access Functionality |
|
Machine Learning detection for dropped file |
AV Detection |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Drops PE files |
Persistence and Installation Behavior |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Local\Temp\XClient.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\XClient.exe
|
Category: |
dropped
|
Dump: |
XClient.exe.1.dr
|
ID: |
dr_2
|
Target ID: |
1
|
Process: |
C:\Users\user\AppData\Local\Temp\RarSFX0\Result.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.5792271146909735
|
Encrypted: |
false
|
Ssdeep: |
384:OLxpXSqGWjxaAiQcamYpnnGnRLGVYCwvHixdTD2VR8pkFTBLTIZwYGDcvw9Ikuia:6XNcaZodYYC4CaV9FZ9jcOjhB/45
|
Size: |
34816
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Yara detected XWorm |
Stealing of Sensitive Information, Remote Access Functionality |
|
Machine Learning detection for dropped file |
AV Detection |
|
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) |
Malware Analysis System Evasion |
Security Software Discovery
Windows Management Instrumentation
Virtualization/Sandbox Evasion
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) |
Lowering of HIPS / PFW / Operating System Security Settings |
Security Software Discovery
Windows Management Instrumentation
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Creates a start menu entry (Start Menu\Programs\Startup) |
Boot Survival |
Registry Run Keys / Startup Folder
|
Drops PE files |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sigma detected: Startup Folder File Write |
System Summary |
|
Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates guard pages, often used to prevent reverse engineering and debugging |
Anti Debugging |
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries the cryptographic machine GUID |
Language, Device and Operating System Detection |
System Information Discovery
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Category: |
dropped
|
Dump: |
ServerWeb.exe.2.dr
|
ID: |
dr_5
|
Target ID: |
2
|
Process: |
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Sigma detected: Schedule system process |
Persistence and Installation Behavior |
|
Creates an autostart registry key pointing to binary in C:\Windows |
Boot Survival |
Registry Run Keys / Startup Folder
|
Creates an undocumented autostart registry key |
Boot Survival |
Registry Run Keys / Startup Folder
|
Creates multiple autostart registry keys |
Boot Survival |
Registry Run Keys / Startup Folder
|
Creates processes via WMI |
Persistence and Installation Behavior |
Windows Management Instrumentation
|
Disable UAC(promptonsecuredesktop) |
Lowering of HIPS / PFW / Operating System Security Settings |
Bypass User Account Control
|
Disables UAC (registry) |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Machine Learning detection for dropped file |
AV Detection |
|
Sigma detected: Files With System Process Name In Unsuspected Locations |
System Summary |
|
Uses schtasks.exe or at.exe to add and modify task schedules |
Boot Survival |
|
Allocates memory with a write watch (potentially for evading sandboxes) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Contains long sleeps (>= 3 min) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Creates a window with clipboard capturing capabilities |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
|
Creates files inside the system directory |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Drops PE files to the windows directory (C:\Windows) |
Persistence and Installation Behavior |
|
Enables debug privileges |
Anti Debugging |
|
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) |
Malware Analysis System Evasion |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
System Information Discovery
|
Sigma detected: CurrentVersion Autorun Keys Modification |
System Summary |
|
Sigma detected: CurrentVersion NT Autorun Keys Modification |
System Summary |
|
Sigma detected: Suspicious Add Scheduled Task Parent |
System Summary |
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
System Information Discovery
|
Contains medium sleeps (>= 30s) |
Malware Analysis System Evasion |
Virtualization/Sandbox Evasion
|
Creates an autostart registry key |
Boot Survival |
Registry Run Keys / Startup Folder
|
Creates files inside the program directory |
System Summary |
|
Creates mutexes |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
Queries a list of all running processes |
Malware Analysis System Evasion |
|
Queries process information (via WMI, Win32_Process) |
System Summary |
System Information Discovery
Windows Management Instrumentation
|
Spawns processes |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\UGsUclNNu9UBh.vbe
|
Category: |
dropped
|
Dump: |
UGsUclNNu9UBh.vbe.2.dr
|
ID: |
dr_6
|
Target ID: |
2
|
Process: |
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
|
Type: |
data
|
Entropy: |
5.874652570260906
|
Encrypted: |
false
|
Ssdeep: |
6:Gbt2wqK+NkLzWbHo18nZNDd3RL1wQJRZ7CvdhtMGoIRP:GxMCzWLo14d3XBJr7weG5
|
Size: |
239
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Sigma detected: WScript or CScript Dropper |
System Summary |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\sihost.exe
|
Category: |
dropped
|
Dump: |
sihost.exe.8.dr
|
ID: |
dr_17
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Roaming\XClient.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\XClient.exe
|
Category: |
dropped
|
Dump: |
XClient.exe.3.dr
|
ID: |
dr_7
|
Target ID: |
3
|
Process: |
C:\Users\user\AppData\Local\Temp\XClient.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
5.5792271146909735
|
Encrypted: |
false
|
Ssdeep: |
384:OLxpXSqGWjxaAiQcamYpnnGnRLGVYCwvHixdTD2VR8pkFTBLTIZwYGDcvw9Ikuia:6XNcaZodYYC4CaV9FZ9jcOjhB/45
|
Size: |
34816
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Antivirus detection for dropped file |
AV Detection |
|
Yara detected XWorm |
Stealing of Sensitive Information, Remote Access Functionality |
|
Machine Learning detection for dropped file |
AV Detection |
|
Drops PE files |
Persistence and Installation Behavior |
|
|
C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Windows\ELAMBKUP\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
Category: |
dropped
|
Dump: |
FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe5.8.dr
|
ID: |
dr_29
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates files inside the system directory |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the windows directory (C:\Windows) |
Persistence and Installation Behavior |
|
|
C:\Windows\IME\IMEKR\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Windows\IME\IMEKR\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
Category: |
dropped
|
Dump: |
FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe4.8.dr
|
ID: |
dr_27
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates files inside the system directory |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the windows directory (C:\Windows) |
Persistence and Installation Behavior |
|
|
C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Windows\IdentityCRL\FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe
|
Category: |
dropped
|
Dump: |
FMxFFfLOKpqCLtTFEmbkPKJrDwH.exe3.8.dr
|
ID: |
dr_23
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
Entropy: |
7.781810498852624
|
Encrypted: |
false
|
Ssdeep: |
49152:adwQZHEwTDiztbzw4zcvOCpkA4CKDOh2ukUZLMAD22T7Xp/whX7ZUWR9i:2XZHEwTUzcvtpzh2xKbepZr
|
Size: |
3549696
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates files inside the system directory |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the windows directory (C:\Windows) |
Persistence and Installation Behavior |
|
Spawns processes |
System Summary |
|
|
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\9e8d7a4ca61bd9
|
ASCII text, with very long lines (609), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\9e8d7a4ca61bd9
|
Category: |
dropped
|
Dump: |
9e8d7a4ca61bd9.8.dr
|
ID: |
dr_12
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with very long lines (609), with no line terminators
|
Entropy: |
5.887540865257822
|
Encrypted: |
false
|
Ssdeep: |
12:jDRlQyyqk2HyrQec0YwU98gde9ozm99IpLrlvVqe9+dKTRFyFfz6:jjyZ2SLcbw3gC99IL0CPRYFb6
|
Size: |
609
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Program Files (x86)\jDownloader\config\088424020bedd6
|
ASCII text, with very long lines (432), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files (x86)\jDownloader\config\088424020bedd6
|
Category: |
dropped
|
Dump: |
088424020bedd6.8.dr
|
ID: |
dr_20
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with very long lines (432), with no line terminators
|
Entropy: |
5.8750345879664
|
Encrypted: |
false
|
Ssdeep: |
12:P1LfkhMOMhXXXHiJCNjiPnnkEiMS9108q:PpLHiJCNEnZRC08q
|
Size: |
432
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Program Files\Uninstall Information\e6c9b481da804f
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files\Uninstall Information\e6c9b481da804f
|
Category: |
dropped
|
Dump: |
e6c9b481da804f.8.dr
|
ID: |
dr_34
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
5.554890344299369
|
Encrypted: |
false
|
Ssdeep: |
3:jqkuXUcD/Xa2RO/WiAlEQlYnulnJvJJImPiBfR:WkqFD/Xa2ROPjQlYuJJvPipR
|
Size: |
116
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\d908c538d2e8d0
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\d908c538d2e8d0
|
Category: |
dropped
|
Dump: |
d908c538d2e8d0.8.dr
|
ID: |
dr_10
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
5.560983050217844
|
Encrypted: |
false
|
Ssdeep: |
3:dWCV0m6SCS7PiOJ5bh8icAhhJ7V2STRdbRX33:0mcSPhh/7cST7b5
|
Size: |
104
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Windows Multimedia Platform\d908c538d2e8d0
|
ASCII text, with very long lines (820), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files\Windows Multimedia Platform\d908c538d2e8d0
|
Category: |
dropped
|
Dump: |
d908c538d2e8d01.8.dr
|
ID: |
dr_16
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with very long lines (820), with no line terminators
|
Entropy: |
5.905800036154983
|
Encrypted: |
false
|
Ssdeep: |
24:IudYd3Kge+6gpyoUe/8LHKvyC91BgnbalbuRcFuY6:Itd3Kgppp/ESG/qw
|
Size: |
820
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Windows Photo Viewer\en-GB\7ccfebd9e92364
|
ASCII text, with very long lines (609), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files\Windows Photo Viewer\en-GB\7ccfebd9e92364
|
Category: |
dropped
|
Dump: |
7ccfebd9e92364.8.dr
|
ID: |
dr_26
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with very long lines (609), with no line terminators
|
Entropy: |
5.875432697415312
|
Encrypted: |
false
|
Ssdeep: |
12:TFhjX70Xt56Lr404uxFAP/CJ5GlXMFox4RKyZCVQZu+Tjj:TFhO76o04YP5Gxre4yQQZu+nj
|
Size: |
609
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Windows Photo Viewer\en-GB\9e8d7a4ca61bd9
|
ASCII text, with very long lines (385), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Program Files\Windows Photo Viewer\en-GB\9e8d7a4ca61bd9
|
Category: |
dropped
|
Dump: |
9e8d7a4ca61bd90.8.dr
|
ID: |
dr_32
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with very long lines (385), with no line terminators
|
Entropy: |
5.804371664903968
|
Encrypted: |
false
|
Ssdeep: |
6:ejpmQaVsTMB98P5+Rtjmdy6vAMyIvTAFVkG63Bcy/fKYB+UMHO/DhCNYihwDrejj:EIDVsTyr6bykTAFVSB7/fzg/hwy
|
Size: |
385
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\ProgramData\Microsoft\Windows\Templates\d908c538d2e8d0
|
ASCII text, with very long lines (840), with no line terminators
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\Templates\d908c538d2e8d0
|
Category: |
dropped
|
Dump: |
d908c538d2e8d02.8.dr
|
ID: |
dr_22
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with very long lines (840), with no line terminators
|
Entropy: |
5.899287851191481
|
Encrypted: |
false
|
Ssdeep: |
24:8bYQ3wAGv76kRbrOWIHa84YbEmXh8CK9+l+MyewJoIwHvcV7FO:a3w/v76ErUHFtbHX8kzlwx/Bs
|
Size: |
840
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Recovery\cf20f2cf4406ff
|
ASCII text, with very long lines (448), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Recovery\cf20f2cf4406ff
|
Category: |
dropped
|
Dump: |
cf20f2cf4406ff.8.dr
|
ID: |
dr_36
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with very long lines (448), with no line terminators
|
Entropy: |
5.832145273021852
|
Encrypted: |
false
|
Ssdeep: |
12:DLuHHtp65cBqEBwqOusV6lblNouJHfjRXn1X5CNps2nKDay:DyntwiBqXqOus6piGfjRlXMNps2Py
|
Size: |
448
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Recovery\d908c538d2e8d0
|
ASCII text, with very long lines (662), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Recovery\d908c538d2e8d0
|
Category: |
dropped
|
Dump: |
d908c538d2e8d00.8.dr
|
ID: |
dr_14
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with very long lines (662), with no line terminators
|
Entropy: |
5.899444164976039
|
Encrypted: |
false
|
Ssdeep: |
12:iR9TsBxWwNIOI4M5fq06yGEWPguDA13zOH8otxyddofeu:4kxWCI9jOyGT4uDA1DOH9xUdofeu
|
Size: |
662
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ServerWeb.exe.log
|
ASCII text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ServerWeb.exe.log
|
Category: |
dropped
|
Dump: |
ServerWeb.exe.log.8.dr
|
ID: |
dr_37
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with CRLF line terminators
|
Entropy: |
5.363869398054153
|
Encrypted: |
false
|
Ssdeep: |
48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpvJHVHmHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpB1Gq2
|
Size: |
1915
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
|
CSV text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
|
Category: |
dropped
|
Dump: |
conhost.exe.log.38.dr
|
ID: |
dr_38
|
Target ID: |
38
|
Process: |
C:\Program Files (x86)\jDownloader\config\conhost.exe
|
Type: |
CSV text
|
Entropy: |
5.370111951859942
|
Encrypted: |
false
|
Ssdeep: |
24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
|
Size: |
1281
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\file.vbs
|
Category: |
dropped
|
Dump: |
file.vbs.2.dr
|
ID: |
dr_3
|
Target ID: |
2
|
Process: |
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
4.124083797069061
|
Encrypted: |
false
|
Ssdeep: |
3:LlzRWDNMSdn:PWbn
|
Size: |
34
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Executes visual basic scripts |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\hUqNkgIMv7nY24UYezK0etl.bat
|
Category: |
dropped
|
Dump: |
hUqNkgIMv7nY24UYezK0etl.bat.2.dr
|
ID: |
dr_4
|
Target ID: |
2
|
Process: |
C:\Users\user\AppData\Local\Temp\DCRatBuild.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
5.009104760931058
|
Encrypted: |
false
|
Ssdeep: |
3:BtV+EM0XRAGKkljrAEFDFQNBZwXD9so3KRfyM1K7eB/k+7W34hebJNAKyMhF7FKD:BIMekFiTStuH1jhRiI36BY
|
Size: |
170
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a process in suspended mode (likely to inject code) |
HIPS / PFW / Operating System Protection Evasion |
|
Executes batch files |
System Summary |
|
Spawns processes |
System Summary |
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\66fc9ff0ee96c2
|
ASCII text, with very long lines (427), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\66fc9ff0ee96c2
|
Category: |
dropped
|
Dump: |
66fc9ff0ee96c2.8.dr
|
ID: |
dr_18
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with very long lines (427), with no line terminators
|
Entropy: |
5.832519112443163
|
Encrypted: |
false
|
Ssdeep: |
12:nOEQDiVsjsLkL84gqyqjIm9KUL1AgR8WEfGLa33Lc8WK:nOrDiVAs+84dIK7APWEl7NR
|
Size: |
427
|
Whitelisted: |
false
|
Reputation: |
timeout
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jun 11 17:07:08
2024, mtime=Tue Jun 11 17:07:08 2024, atime=Tue Jun 11 17:07:08 2024, length=34816, window=hide
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk
|
Category: |
dropped
|
Dump: |
XClient.lnk.3.dr
|
ID: |
dr_8
|
Target ID: |
3
|
Process: |
C:\Users\user\AppData\Local\Temp\XClient.exe
|
Type: |
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jun 11 17:07:08
2024, mtime=Tue Jun 11 17:07:08 2024, atime=Tue Jun 11 17:07:08 2024, length=34816, window=hide
|
Entropy: |
5.074344665573905
|
Encrypted: |
false
|
Ssdeep: |
12:8e124dO0WCiTu8dY//YFLbHK9jAsVDrHkJ/BmV:8eps/JTd+whbHK5AsVDYJ/Bm
|
Size: |
764
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates a start menu entry (Start Menu\Programs\Startup) |
Boot Survival |
Registry Run Keys / Startup Folder
|
Sigma detected: Startup Folder File Write |
System Summary |
|
Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
|
C:\Windows\ELAMBKUP\d908c538d2e8d0
|
ASCII text, with very long lines (563), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Windows\ELAMBKUP\d908c538d2e8d0
|
Category: |
dropped
|
Dump: |
d908c538d2e8d05.8.dr
|
ID: |
dr_30
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with very long lines (563), with no line terminators
|
Entropy: |
5.879761936610048
|
Encrypted: |
false
|
Ssdeep: |
12:X4fkF8Tl/SXjOHm9knJSOk8vWGefvpTBHAl7iyNVUcBu10U:XpzTlIJSL+Wttg990kS
|
Size: |
563
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates files inside the system directory |
System Summary |
|
|
C:\Windows\IME\IMEKR\d908c538d2e8d0
|
ASCII text, with no line terminators
|
dropped
|
|
|
|
File: |
C:\Windows\IME\IMEKR\d908c538d2e8d0
|
Category: |
dropped
|
Dump: |
d908c538d2e8d04.8.dr
|
ID: |
dr_28
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with no line terminators
|
Entropy: |
3.625
|
Encrypted: |
false
|
Ssdeep: |
3:cuW5ccK:zW5ccK
|
Size: |
16
|
Whitelisted: |
false
|
Reputation: |
timeout
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates files inside the system directory |
System Summary |
|
|
C:\Windows\IdentityCRL\d908c538d2e8d0
|
ASCII text, with very long lines (982), with no line terminators
|
dropped
|
|
|
|
File: |
C:\Windows\IdentityCRL\d908c538d2e8d0
|
Category: |
dropped
|
Dump: |
d908c538d2e8d03.8.dr
|
ID: |
dr_24
|
Target ID: |
8
|
Process: |
C:\Users\user\AppData\Roaming\Hypercontainercomponentnetcommon\ServerWeb.exe
|
Type: |
ASCII text, with very long lines (982), with no line terminators
|
Entropy: |
5.906822978826983
|
Encrypted: |
false
|
Ssdeep: |
24:K7BuBiAA6B10Hj3sFASelzPbPgLqgnsnncmOibuhfHgC:FBiAA6P0HYGD7kL2cmOrfz
|
Size: |
982
|
Whitelisted: |
false
|
| |