Loading ...

Play interactive tourEdit tour

Analysis Report iLn0zUxScW

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:156327
Start date:25.07.2019
Start time:14:08:33
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 48s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:iLn0zUxScW (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:28
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.adwa.evad.winEXE@24/1029@0/0
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 94.6%)
  • Quality average: 84.2%
  • Quality standard deviation: 26.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, VSSVC.exe, CompatTelRunner.exe, svchost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through API1Hidden Files and Directories1Startup Items2Hidden Files and Directories1Input Capture1System Time Discovery1Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionStartup Items2Process Injection11Disabling Security Tools2Network SniffingQuery Registry1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationRegistry Run Keys / Startup Folder121Path InterceptionSoftware Packing1Input CaptureProcess Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection11Credentials in FilesSecurity Software Discovery21Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion2Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Information Discovery22Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: iLn0zUxScW.exeAvira: Label: TR/Crypt.XPACK.Gen
Source: iLn0zUxScW.exeJoe Sandbox ML: detected
Multi AV Scanner detection for submitted fileShow sources
Source: iLn0zUxScW.exevirustotal: Detection: 78%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 14.2.iLn0zUxScW.exe.360000.0.unpackJoe Sandbox ML: detected
Source: 24.1.iLn0zUxScW.exe.e10000.0.unpackJoe Sandbox ML: detected
Source: 0.0.iLn0zUxScW.exe.10000.0.unpackJoe Sandbox ML: detected
Source: 15.1.iLn0zUxScW.exe.360000.0.unpackJoe Sandbox ML: detected
Source: 14.0.iLn0zUxScW.exe.360000.0.unpackJoe Sandbox ML: detected
Source: 19.2.iLn0zUxScW.exe.360000.0.unpackJoe Sandbox ML: detected
Source: 14.1.iLn0zUxScW.exe.360000.0.unpackJoe Sandbox ML: detected
Source: 15.0.iLn0zUxScW.exe.360000.0.unpackJoe Sandbox ML: detected
Source: 1.1.iLn0zUxScW.exe.10000.0.unpackJoe Sandbox ML: detected
Source: 0.1.iLn0zUxScW.exe.10000.0.unpackJoe Sandbox ML: detected
Source: 19.1.iLn0zUxScW.exe.360000.0.unpackJoe Sandbox ML: detected
Source: 1.0.iLn0zUxScW.exe.10000.0.unpackJoe Sandbox ML: detected
Source: 0.2.iLn0zUxScW.exe.10000.0.unpackJoe Sandbox ML: detected
Source: 19.0.iLn0zUxScW.exe.360000.0.unpackJoe Sandbox ML: detected
Source: 15.2.iLn0zUxScW.exe.360000.0.unpackJoe Sandbox ML: detected
Source: 1.2.iLn0zUxScW.exe.10000.0.unpackJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00013E72 _malloc,_memmove,CryptDestroyKey,0_2_00013E72
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00013F30 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptDestroyKey,0_2_00013F30
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00014D46 SetFileAttributesW,_wcsrchr,GetFileAttributesW,CreateFileW,SetFilePointerEx,SetFilePointerEx,SetFilePointerEx,CreateFileW,_memset,WriteFile,ReadFile,_memmove,CryptDestroyKey,WriteFile,CryptDestroyKey,CloseHandle,FindCloseChangeNotification,FindCloseChangeNotification,DeleteFileW,0_2_00014D46
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00015193 SetFileAttributesW,_wcsrchr,MoveFileW,CreateFileW,_memmove,CryptDestroyKey,SetFilePointerEx,WriteFile,SetEndOfFile,MoveFileW,FindCloseChangeNotification,0_2_00015193
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_000141DD CryptAcquireContextW,CryptGenRandom,_rand,_memmove,0_2_000141DD
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_0001403E CryptAcquireContextW,CryptGenRandom,0_2_0001403E
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00013FBD _memmove,CryptEncrypt,0_2_00013FBD
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00013FFF _memmove,CryptDecrypt,0_2_00013FFF
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00363E72 _malloc,_memmove,CryptDestroyKey,14_2_00363E72
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00363F30 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptDestroyKey,14_2_00363F30
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_0036403E CryptAcquireContextW,CryptGenRandom,14_2_0036403E
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00364D46 SetFileAttributesW,_wcsrchr,GetFileAttributesW,CreateFileW,SetFilePointerEx,SetFilePointerEx,SetFilePointerEx,CreateFileW,_memset,WriteFile,ReadFile,_memmove,CryptDestroyKey,WriteFile,CryptDestroyKey,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,14_2_00364D46
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00363FBD _memmove,CryptEncrypt,14_2_00363FBD
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00365193 SetFileAttributesW,_wcsrchr,MoveFileW,CreateFileW,_memmove,CryptDestroyKey,SetFilePointerEx,WriteFile,SetEndOfFile,MoveFileW,CloseHandle,14_2_00365193
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00363FFF _memmove,CryptDecrypt,14_2_00363FFF
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_003641DD CryptAcquireContextW,CryptGenRandom,_rand,_memmove,14_2_003641DD

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_000156D4 _malloc,FindFirstFileW,FindNextFileW,FindClose,_free,0_2_000156D4
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_003656D4 _malloc,FindFirstFileW,FindNextFileW,FindClose,_free,14_2_003656D4

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: iLn0zUxScW.exe, 00000000.00000002.23940749410.00000000001A0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Detected Phobos RansomwareShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00012F69 _malloc,GetVersion,_memset,CloseHandle,GetModuleHandleA,GetProcAddress,GetShellWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,DuplicateTokenEx,CreateProcessWithTokenW,FindCloseChangeNotification,FindCloseChangeNotification,FindCloseChangeNotification,FindCloseChangeNotification,FindCloseChangeNotification,_free,0_2_00012F69
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00362F69 _malloc,GetVersion,_memset,CloseHandle,GetModuleHandleA,GetProcAddress,GetShellWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,_free,14_2_00362F69
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: iLn0zUxScW.exe, 00000000.00000002.23938722933.0000000000130000.00000004.00000040.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy deleteJump to behavior
Source: vssadmin.exe, 00000007.00000002.23540143069.0000025994D80000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000007.00000002.23540143069.0000025994D80000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000007.00000002.23540143069.0000025994D80000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000007.00000002.23540143069.0000025994D80000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000007.00000002.23540143069.0000025994D80000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000007.00000002.23540186663.0000025994D95000.00000004.00000040.sdmpBinary or memory string: vssadmindeleteshadows/all/quiet$(Z
Source: vssadmin.exe, 00000007.00000002.23540214540.0000025994DD0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quietvssadmin delete shadows /all /quietWinSta0\Default:r
Source: vssadmin.exe, 00000007.00000002.23540214540.0000025994DD0000.00000004.00000020.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
Source: vssadmin.exe, 00000007.00000002.23540214540.0000025994DD0000.00000004.00000020.sdmpBinary or memory string: vssadmin delete shadows /all /quiet~r
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Writes many files with high entropyShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Adobe\ARM\S\18392\AdobeARM.msi.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99980426361Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Adobe\ARM\S\18392\AdobeARMHelper.exe.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99957610186Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Adobe\ARM\S\20227\AdobeARM.msi.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9998500317Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Adobe\ARM\S\ARM.msi.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99979735372Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99977951854Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99962123898Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99952119127Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99849059759Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99983299173Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\windows.uif_ondemand.xml.inbox.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99983066263Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A605F2A5-9D01-4691-9FDC-BE6391D70203\en-us.16\MasterDescriptor.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99352698612Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99977521262Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A605F2A5-9D01-4691-9FDC-BE6391D70203\en-us.16\stream.x86.en-us.man.dat.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99984505723Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A605F2A5-9D01-4691-9FDC-BE6391D70203\x-none.16\MasterDescriptor.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99421070724Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99986555765Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99985267549Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99965683899Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9949603339Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9993643442Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99859838606Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99855834681Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99901734931Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99823271024Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99374498249Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99330798012Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99343043861Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99300537371Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9997803319Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99822033694Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9976421628Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edb.log.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99992900922Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99901848377Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99986565034Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\customizations.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99970100395Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99962966653Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\customizations.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99699134726Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99647750463Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99705223603Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99728549229Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9990528708Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99973486533Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99969775725Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Windows\AppxProvisioning.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99117386805Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9993138586Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99972034478Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\34__Connections.provxml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99349851138Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-2018-11-22.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99387248621Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9922121835Jump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9995993765Jump to dropped file
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00013F30 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptDestroyKey,0_2_00013F30
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00363F30 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptDestroyKey,14_2_00363F30

Operating System Destruction:

barindex
Mass deletion, destroys many filesShow sources
Source: c:\users\user\desktop\iln0zuxscw.exeFile deleted: Number of file deletion 494 exceeds threshold 400

System Summary:

barindex
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_01
Source: C:\Users\user\Desktop\iLn0zUxScW.exeMutant created: \Sessions\1\BaseNamedObjects\Global\10963C4E000000
Source: C:\Users\user\Desktop\iLn0zUxScW.exeMutant created: \Sessions\1\BaseNamedObjects\Global\10963C4E000001
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2392:120:WilError_01
Sample file is different than original file name gathered from version infoShow sources
Source: iLn0zUxScW.exe, 00000001.00000002.23991596053.0000000002860000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs iLn0zUxScW.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile read: C:\Users\user\Desktop\iLn0zUxScW.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iLn0zUxScW.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.adwa.evad.winEXE@24/1029@0/0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_000132FA CreateToolhelp32Snapshot,_memset,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,FindCloseChangeNotification,0_2_000132FA
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\Users\user\AppData\Local\iLn0zUxScW.exe\:Zone.Identifier:$DATAJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: iLn0zUxScW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile read: C:\$Recycle.Bin\S-1-5-18\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: iLn0zUxScW.exevirustotal: Detection: 78%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\iLn0zUxScW.exe 'C:\Users\user\Desktop\iLn0zUxScW.exe'
Source: unknownProcess created: C:\Users\user\Desktop\iLn0zUxScW.exe C:\Users\user\Desktop\iLn0zUxScW.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state off
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh firewall set opmode mode=disable
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: unknownProcess created: C:\Users\user\AppData\Local\iLn0zUxScW.exe 'C:\Users\user\AppData\Local\iLn0zUxScW.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\iLn0zUxScW.exe 'C:\Users\user\AppData\Local\iLn0zUxScW.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\iLn0zUxScW.exe 'C:\Users\user\AppData\Local\iLn0zUxScW.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iLn0zUxScW.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iLn0zUxScW.exe'
Source: C:\Users\user\Desktop\iLn0zUxScW.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy deleteJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailuresJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled noJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state offJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall set opmode mode=disableJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: iLn0zUxScW.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a valid data directory to section mappingShow sources
Source: iLn0zUxScW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: iLn0zUxScW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: iLn0zUxScW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: iLn0zUxScW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: iLn0zUxScW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_000195CB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_000195CB
PE file contains sections with non-standard namesShow sources
Source: iLn0zUxScW.exeStatic PE information: section name: .cdata
Source: iLn0zUxScW.exe.0.drStatic PE information: section name: .cdata
Source: iLn0zUxScW.exe0.0.drStatic PE information: section name: .cdata
Source: iLn0zUxScW.exe.1.drStatic PE information: section name: .cdata
Source: iLn0zUxScW.exe0.1.drStatic PE information: section name: .cdata
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00018A95 push ecx; ret 0_2_00018AA8
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00368A95 push ecx; ret 14_2_00368AA8

Persistence and Installation Behavior:

barindex
Uses bcdedit to modify the Windows boot settingsShow sources
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailuresJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled noJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\Users\user\AppData\Local\iLn0zUxScW.exeJump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\iLn0zUxScW.exeJump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iLn0zUxScW.exeJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\iLn0zUxScW.exeJump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folderShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\iLn0zUxScW.exeJump to dropped file
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iLn0zUxScW.exeJump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: c:\programdata\microsoft\windows\start menu\programs\startup\iLn0zUxScW.exeJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: c:\programdata\microsoft\windows\start menu\programs\startup\iLn0zUxScW.exeJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\iLn0zUxScW.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\iLn0zUxScW.exeJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iLn0zUxScW.exe\:Zone.Identifier:$DATAJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iLn0zUxScWJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iLn0zUxScWJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run iLn0zUxScWJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run iLn0zUxScWJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in the recycle bin to hide itselfShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeFile created: C:\$Recycle.Bin\S-1-5-18\desktop.ini.id[3C4E0000-1096].[lockhelp@qq.com].acuteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_14-5405
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_14-5220
Source: C:\Users\user\Desktop\iLn0zUxScW.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-5400
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_14-6267
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-6274
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exe TID: 4384Thread sleep count: 42 > 30Jump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exe TID: 2788Thread sleep count: 107 > 30Jump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exe TID: 2788Thread sleep time: -107000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exe TID: 1400Thread sleep time: -180000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\iLn0zUxScW.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_000156D4 _malloc,FindFirstFileW,FindNextFileW,FindClose,_free,0_2_000156D4
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_003656D4 _malloc,FindFirstFileW,FindNextFileW,FindClose,_free,14_2_003656D4
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: iLn0zUxScW.exe, 00000001.00000002.23991596053.0000000002860000.00000002.00000001.sdmp, WMIC.exe, 0000000B.00000002.23545712891.0000024D3BC80000.00000002.00000001.sdmp, bcdedit.exe, 0000000C.00000002.23547614933.00000238FCF20000.00000002.00000001.sdmp, bcdedit.exe, 0000000D.00000002.23549457200.000001EED8E60000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: iLn0zUxScW.exe, 00000001.00000002.23991596053.0000000002860000.00000002.00000001.sdmp, WMIC.exe, 0000000B.00000002.23545712891.0000024D3BC80000.00000002.00000001.sdmp, bcdedit.exe, 0000000C.00000002.23547614933.00000238FCF20000.00000002.00000001.sdmp, bcdedit.exe, 0000000D.00000002.23549457200.000001EED8E60000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: iLn0zUxScW.exe, 00000001.00000002.23991596053.0000000002860000.00000002.00000001.sdmp, WMIC.exe, 0000000B.00000002.23545712891.0000024D3BC80000.00000002.00000001.sdmp, bcdedit.exe, 0000000C.00000002.23547614933.00000238FCF20000.00000002.00000001.sdmp, bcdedit.exe, 0000000D.00000002.23549457200.000001EED8E60000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: iLn0zUxScW.exe, 00000001.00000002.23991596053.0000000002860000.00000002.00000001.sdmp, WMIC.exe, 0000000B.00000002.23545712891.0000024D3BC80000.00000002.00000001.sdmp, bcdedit.exe, 0000000C.00000002.23547614933.00000238FCF20000.00000002.00000001.sdmp, bcdedit.exe, 0000000D.00000002.23549457200.000001EED8E60000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeAPI call chain: ExitProcess graph end nodegraph_14-5406
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wbem\WMIC.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00018CE9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00018CE9
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_000195CB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_000195CB
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00018238 SetUnhandledExceptionFilter,0_2_00018238
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00018CE9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00018CE9
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00019936 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00019936
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00368238 SetUnhandledExceptionFilter,14_2_00368238
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00368CE9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00368CE9
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: 14_2_00369936 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00369936

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy deleteJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailuresJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled noJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state offJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall set opmode mode=disableJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: iLn0zUxScW.exe, 00000000.00000002.23964899407.00000000012D0000.00000002.00000001.sdmp, iLn0zUxScW.exe, 00000001.00000002.23991274028.0000000001350000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: iLn0zUxScW.exe, 00000000.00000002.23964899407.00000000012D0000.00000002.00000001.sdmp, iLn0zUxScW.exe, 00000001.00000002.23991274028.0000000001350000.00000002.00000001.sdmpBinary or memory string: Progman
Source: iLn0zUxScW.exe, 00000000.00000002.23964899407.00000000012D0000.00000002.00000001.sdmp, iLn0zUxScW.exe, 00000001.00000002.23991274028.0000000001350000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: iLn0zUxScW.exe, 00000000.00000002.23964899407.00000000012D0000.00000002.00000001.sdmp, iLn0zUxScW.exe, 00000001.00000002.23991274028.0000000001350000.00000002.00000001.sdmpBinary or memory string: Program Manager>

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: GetTickCount,GetLocaleInfoW,CreateThread,CreateThread,Sleep,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,ReleaseMutex,CloseHandle,0_2_0001210E
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeCode function: GetTickCount,GetLocaleInfoW,CreateThread,CreateThread,Sleep,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,ReleaseMutex,CloseHandle,14_2_0036210E
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iLn0zUxScW.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00018C3F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00018C3F
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeCode function: 0_2_00012E4F GetVersion,GetCurrentProcess,OpenProcessToken,GetTokenInformation,FindCloseChangeNotification,0_2_00012E4F
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\iLn0zUxScW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the windows firewallShow sources
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state off
Uses netsh to modify the Windows network and firewall settingsShow sources
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state off

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 156327 Sample: iLn0zUxScW Startdate: 25/07/2019 Architecture: WINDOWS Score: 100 61 Antivirus or Machine Learning detection for sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 May disable shadow drive data (uses vssadmin) 2->65 67 5 other signatures 2->67 7 iLn0zUxScW.exe 1 501 2->7         started        11 iLn0zUxScW.exe 2->11         started        13 iLn0zUxScW.exe 2->13         started        15 2 other processes 2->15 process3 file4 47 C:\ProgramData\Microsoft\...\iLn0zUxScW.exe, PE32 7->47 dropped 49 {DDF571F2-BE98-426...khelp@qq.com].acute, DOS 7->49 dropped 51 AdobeARMHelper.exe...khelp@qq.com].acute, DOS 7->51 dropped 53 66 other files (49 malicious) 7->53 dropped 69 Detected Phobos Ransomware 7->69 71 Creates files in the recycle bin to hide itself 7->71 73 Drops PE files to the startup folder 7->73 75 Writes many files with high entropy 7->75 17 cmd.exe 1 7->17         started        20 iLn0zUxScW.exe 1 7 7->20         started        23 cmd.exe 1 7->23         started        signatures5 process6 file7 55 May disable shadow drive data (uses vssadmin) 17->55 57 Deletes shadow drive data (may be related to ransomware) 17->57 59 Uses bcdedit to modify the Windows boot settings 17->59 25 bcdedit.exe 1 17->25         started        27 bcdedit.exe 1 17->27         started        29 WMIC.exe 1 17->29         started        37 2 other processes 17->37 39 C:\Users\user\AppData\...\iLn0zUxScW.exe, PE32 20->39 dropped 41 C:\Users\user\AppData\Local\iLn0zUxScW.exe, PE32 20->41 dropped 43 C:\Users\...\iLn0zUxScW.exe:Zone.Identifier, ASCII 20->43 dropped 45 C:\Users\...\iLn0zUxScW.exe:Zone.Identifier, ASCII 20->45 dropped 31 netsh.exe 3 23->31         started        33 netsh.exe 3 23->33         started        35 conhost.exe 23->35         started        signatures8 process9

Simulations

Behavior and APIs

TimeTypeDescription
14:09:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run iLn0zUxScW C:\Users\user\AppData\Local\iLn0zUxScW.exe
14:09:50API Interceptor9x Sleep call for process: iLn0zUxScW.exe modified
14:09:54AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run iLn0zUxScW C:\Users\user\AppData\Local\iLn0zUxScW.exe
14:10:03