Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gfehgfwveg.exe

Overview

General Information

Sample name:gfehgfwveg.exe
Analysis ID:1580519
MD5:43ec2649e1b173b6e8b3800e18cceeb4
SHA1:e864b2d11a7c9c7497b22af930b31db1e2061244
SHA256:4e906e880e35e4bc0de7e9375fc0feb5757374ca0bb628dff6366174536d6183
Tags:exeuser-SquiblydooBlog
Infos:

Detection

DanaBot
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DanaBot stealer dll
AI detected suspicious sample
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • gfehgfwveg.exe (PID: 3948 cmdline: "C:\Users\user\Desktop\gfehgfwveg.exe" MD5: 43EC2649E1B173B6E8B3800E18CCEEB4)
    • cmd.exe (PID: 5908 cmdline: cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WMIC.exe (PID: 6520 cmdline: wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
    00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
        Process Memory Space: gfehgfwveg.exe PID: 3948JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: gfehgfwveg.exe PID: 3948JoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-24T20:58:13.887150+010020344651Malware Command and Control Activity Detected192.168.2.54983034.34.145.103443TCP
            2024-12-24T20:58:14.953488+010020344651Malware Command and Control Activity Detected192.168.2.54983134.169.99.17443TCP
            2024-12-24T20:58:16.044840+010020344651Malware Command and Control Activity Detected192.168.2.54983534.83.67.185443TCP
            2024-12-24T20:58:17.119157+010020344651Malware Command and Control Activity Detected192.168.2.54983835.195.45.98443TCP
            2024-12-24T20:59:18.664291+010020344651Malware Command and Control Activity Detected192.168.2.54998134.34.145.103443TCP
            2024-12-24T20:59:20.009982+010020344651Malware Command and Control Activity Detected192.168.2.54998534.169.99.17443TCP
            2024-12-24T20:59:21.083789+010020344651Malware Command and Control Activity Detected192.168.2.54998834.83.67.185443TCP
            2024-12-24T20:59:22.135469+010020344651Malware Command and Control Activity Detected192.168.2.54999135.195.45.98443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: gfehgfwveg.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: gfehgfwveg.exeReversingLabs: Detection: 55%
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gfehgfwveg.exe PID: 3948, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
            Machine Learning detection for sample
            Source: gfehgfwveg.exeJoe Sandbox ML: detected
            Source: gfehgfwveg.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: C:\Users\user\Desktop\gfehgfwveg.exeCode function: 0_2_0302E190 FindFirstFileW,FindClose,0_2_0302E190
            Source: C:\Users\user\Desktop\gfehgfwveg.exeCode function: 0_2_0302DBC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0302DBC4

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49830 -> 34.34.145.103:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49831 -> 34.169.99.17:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49838 -> 35.195.45.98:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49835 -> 34.83.67.185:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49981 -> 34.34.145.103:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49988 -> 34.83.67.185:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49991 -> 35.195.45.98:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.5:49985 -> 34.169.99.17:443
            Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
            Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
            Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
            Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
            Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
            Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
            Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
            Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
            Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
            Source: unknownTCP traffic detected without corresponding DNS query: 34.169.99.17
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 34.83.67.185
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 35.195.45.98
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: unknownTCP traffic detected without corresponding DNS query: 34.34.145.103
            Source: gfehgfwveg.exe, 00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
            Source: gfehgfwveg.exe, 00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
            Source: gfehgfwveg.exe, 00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
            Source: gfehgfwveg.exe, 00000000.00000002.3889930307.000000006E66F000.00000040.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000002.3888275981.0000000063469000.00000040.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000003.2080229872.000000007EB1A000.00000004.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000003.2075649868.000000007EB44000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
            Source: gfehgfwveg.exe, 00000000.00000003.2074901686.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000002.3888275981.0000000063281000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
            Source: gfehgfwveg.exe, 00000000.00000003.2074901686.000000007ECF0000.00000004.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000002.3888275981.0000000063281000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
            Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
            Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
            Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
            Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
            Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988

            E-Banking Fraud

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gfehgfwveg.exe PID: 3948, type: MEMORYSTR
            Source: C:\Users\user\Desktop\gfehgfwveg.exeCode function: 0_2_034E525C LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,0_2_034E525C
            Source: gfehgfwveg.exeStatic PE information: Number of sections : 11 > 10
            Source: gfehgfwveg.exe, 00000000.00000002.3889930307.000000006E66F000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs gfehgfwveg.exe
            Source: gfehgfwveg.exe, 00000000.00000002.3888275981.0000000063469000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs gfehgfwveg.exe
            Source: gfehgfwveg.exe, 00000000.00000003.2080229872.000000007EB1A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamessleay32.dllH vs gfehgfwveg.exe
            Source: gfehgfwveg.exe, 00000000.00000002.3881473973.00000000025D8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs gfehgfwveg.exe
            Source: gfehgfwveg.exe, 00000000.00000003.2075649868.000000007EB44000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs gfehgfwveg.exe
            Source: gfehgfwveg.exe, 00000000.00000002.3886606090.0000000003824000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs gfehgfwveg.exe
            Source: gfehgfwveg.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: classification engineClassification label: mal88.troj.evad.winEXE@6/0@0/4
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03
            Source: C:\Users\user\Desktop\gfehgfwveg.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: gfehgfwveg.exe, 00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: gfehgfwveg.exe, 00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: gfehgfwveg.exe, 00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: gfehgfwveg.exe, 00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: gfehgfwveg.exeReversingLabs: Detection: 55%
            Source: unknownProcess created: C:\Users\user\Desktop\gfehgfwveg.exe "C:\Users\user\Desktop\gfehgfwveg.exe"
            Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
            Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: mmdevapi.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: ksuser.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: avrt.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: audioses.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: midimap.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: avifil32.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: gfehgfwveg.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: gfehgfwveg.exeStatic file information: File size 4276224 > 1048576
            Source: gfehgfwveg.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3ec600
            Source: C:\Users\user\Desktop\gfehgfwveg.exeCode function: 0_2_034E525C LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,0_2_034E525C
            Source: gfehgfwveg.exeStatic PE information: section name: .didata

            Hooking and other Techniques for Hiding and Protection

            barindex
            May use the Tor software to hide its network traffic
            Source: gfehgfwveg.exe, 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000003.2071863727.000000007E870000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: torConnect
            Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\&apos;c:\&apos;
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE DeviceID=\&apos;c:\&apos;
            Source: C:\Users\user\Desktop\gfehgfwveg.exeWindow / User API: threadDelayed 9217Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeWindow / User API: threadDelayed 783Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\gfehgfwveg.exeCode function: 0_2_0302E190 FindFirstFileW,FindClose,0_2_0302E190
            Source: C:\Users\user\Desktop\gfehgfwveg.exeCode function: 0_2_0302DBC4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0302DBC4
            Source: gfehgfwveg.exe, 00000000.00000003.2082354644.0000000000AB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: gfehgfwveg.exe, 00000000.00000002.3880702296.0000000000A5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\gfehgfwveg.exeAPI call chain: ExitProcess graph end nodegraph_0-2563
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeCode function: 0_2_034E525C LoadLibraryA,GetProcAddress,NtQueryVirtualMemory,NtQueryVirtualMemory,0_2_034E525C
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\gfehgfwveg.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /valueJump to behavior
            Source: gfehgfwveg.exe, 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000003.2071863727.000000007E870000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerToolbarWindow32U
            Source: gfehgfwveg.exe, 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmp, gfehgfwveg.exe, 00000000.00000003.2071863727.000000007E870000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: explorer.exeShell_TrayWnd
            Source: C:\Users\user\Desktop\gfehgfwveg.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_0302E2C8
            Source: C:\Users\user\Desktop\gfehgfwveg.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0302D768
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1Jump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIdJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\gfehgfwveg.exeCode function: 0_2_034E583C GetVersionExW,GetVersionExW,LoadLibraryW,0_2_034E583C
            Source: C:\Users\user\Desktop\gfehgfwveg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gfehgfwveg.exe PID: 3948, type: MEMORYSTR
            Source: Yara matchFile source: 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gfehgfwveg.exe PID: 3948, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000000.00000003.2072119961.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3883206719.0000000003039000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gfehgfwveg.exe PID: 3948, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		12
            Process Injection            		1
            Virtualization/Sandbox Evasion            		OS Credential Dumping1
            System Time Discovery            		Remote ServicesData from Local System2
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		12
            Process Injection            		LSASS Memory11
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Multi-hop Proxy            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            DLL Side-Loading            		Security Account Manager1
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture1
            Proxy            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
            System Owner/User Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem153
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.