Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Message.com.exe

Overview

General Information

Sample name:Message.com.exe
Analysis ID:1608284
MD5:bcef8d693cf33e432f3cc3d4917d0459
SHA1:99db6a903b7dc20a4c7a69811734bf4cb33ed9a5
SHA256:0bc4f00a0df5a6efd1a768e22284ef93448c55f09f7ea54d75865e307419f52f
Tags:exeuser-TeamDreier
Infos:

Detection

MyDoom
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MyDoom
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Tries to resolve many domain names, but no domain seems valid
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Connects to many different domains
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to search for IE or Outlook window (often done to steal information)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • Message.com.exe (PID: 7880 cmdline: "C:\Users\user\Desktop\Message.com.exe" MD5: BCEF8D693CF33E432F3CC3D4917D0459)
    • WerFault.exe (PID: 6944 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7880 -s 1400 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • lsass.exe (PID: 1384 cmdline: "C:\Windows\lsass.exe" MD5: BCEF8D693CF33E432F3CC3D4917D0459)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MyDoomNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3724542666.0000000000801000.00000040.00000001.01000000.00000006.sdmpJoeSecurity_MyDoomYara detected MyDoomJoe Security
    00000001.00000002.1532213850.0000000000801000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_MyDoomYara detected MyDoomJoe Security
      Process Memory Space: Message.com.exe PID: 7880JoeSecurity_MyDoomYara detected MyDoomJoe Security
        Process Memory Space: lsass.exe PID: 1384JoeSecurity_MyDoomYara detected MyDoomJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.2.lsass.exe.800000.0.unpackJoeSecurity_MyDoomYara detected MyDoomJoe Security
            1.2.Message.com.exe.800000.0.unpackJoeSecurity_MyDoomYara detected MyDoomJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Files With System Process Name In Unsuspected Locations
              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Message.com.exe, ProcessId: 7880, TargetFilename: C:\Windows\lsass.exe
              Sigma detected: System File Execution Location Anomaly
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Windows\lsass.exe" , CommandLine: "C:\Windows\lsass.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\lsass.exe, NewProcessName: C:\Windows\lsass.exe, OriginalFileName: C:\Windows\lsass.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\lsass.exe" , ProcessId: 1384, ProcessName: lsass.exe
              Sigma detected: Windows Binaries Write Suspicious Extensions
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\lsass.exe, ProcessId: 1384, TargetFilename: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\static\js\plugins\unified-share\WinRAR.v.3.2.and.key.exe
              Sigma detected: Suspicious Outbound SMTP Connections
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 103.168.172.222, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\lsass.exe, Initiated: true, ProcessId: 1384, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49997
              Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\lsass.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Message.com.exe, ProcessId: 7880, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\lsass.exe" , CommandLine: "C:\Windows\lsass.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\lsass.exe, NewProcessName: C:\Windows\lsass.exe, OriginalFileName: C:\Windows\lsass.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\lsass.exe" , ProcessId: 1384, ProcessName: lsass.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: Message.com.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\tmp589D.tmpAvira: detection malicious, Label: WORM/Agent
              Source: C:\Users\user\AppData\Local\Temp\tmp154F.tmpAvira: detection malicious, Label: WORM/Agent
              Source: C:\Users\user\AppData\Local\Temp\tmp235D.tmpAvira: detection malicious, Label: TR/BAS.Samca.zictf
              Source: C:\Users\user\AppData\Local\Temp\tmp623C.tmpAvira: detection malicious, Label: TR/BAS.Samca.zictf
              Source: C:\Users\user\AppData\Local\Temp\tmp5F76.tmpAvira: detection malicious, Label: WORM/Agent
              Source: C:\Users\user\AppData\Local\Temp\tmp281C.tmpAvira: detection malicious, Label: WORM/Agent
              Source: C:\Users\user\AppData\Local\Temp\tmp10DD.tmpAvira: detection malicious, Label: TR/BAS.Samca.zictf
              Source: C:\Users\user\AppData\Local\Temp\tmp8333.tmpAvira: detection malicious, Label: TR/BAS.Samca.zictf
              Source: C:\Users\user\AppData\Local\Temp\tmp768B.tmpAvira: detection malicious, Label: WORM/Agent
              Source: C:\Users\user\AppData\Local\Temp\tmp8334.tmpAvira: detection malicious, Label: TR/BAS.Samca.zictf
              Source: C:\Users\user\AppData\Local\Temp\tmp695C.tmpAvira: detection malicious, Label: TR/BAS.Samca.zictf
              Source: C:\Users\user\AppData\Local\Temp\tmp60AC.tmpAvira: detection malicious, Label: WORM/Agent
              Source: C:\Users\user\AppData\Local\Temp\tmp5D24.tmpAvira: detection malicious, Label: TR/BAS.Samca.zictf
              Source: C:\Users\user\AppData\Local\Temp\tmp5534.tmpAvira: detection malicious, Label: WORM/Agent
              Source: C:\Users\user\AppData\Local\Temp\tmp5668.tmpAvira: detection malicious, Label: TR/BAS.Samca.zictf
              Source: C:\Users\user\AppData\Local\Temp\tmp1D44.tmpAvira: detection malicious, Label: TR/BAS.Samca.zictf
              Source: C:\Users\user\AppData\Local\Temp\tmp279B.tmpAvira: detection malicious, Label: TR/BAS.Samca.zictf
              Source: C:\Users\user\AppData\Local\Temp\tmp8690.tmpAvira: detection malicious, Label: TR/BAS.Samca.zictf
              Multi AV Scanner detection for dropped file
              Source: C:\Windows\lsass.exeReversingLabs: Detection: 97%
              Multi AV Scanner detection for submitted file
              Source: Message.com.exeVirustotal: Detection: 91%Perma Link
              Source: Message.com.exeReversingLabs: Detection: 97%
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\tmp589D.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp154F.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp235D.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp623C.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp5F76.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp281C.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp10DD.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp8333.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp768B.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp8334.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp695C.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp60AC.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp5D24.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp5534.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp5668.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp1D44.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp279B.tmpJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\tmp8690.tmpJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: Message.com.exeJoe Sandbox ML: detected
              Source: Message.com.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

              Spreading

              barindex
              Yara detected MyDoom
              Source: Yara matchFile source: 12.2.lsass.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Message.com.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.3724542666.0000000000801000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1532213850.0000000000801000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Message.com.exe PID: 7880, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: lsass.exe PID: 1384, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,1_2_00804D32
              Source: C:\Windows\lsass.exeCode function: 12_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,12_2_00804D32
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

              Networking

              barindex
              Tries to resolve many domain names, but no domain seems valid
              Source: unknownDNS traffic detected: query: mx.cl.cam.ac.uk replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: src.dec.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: bryson.demon.co.uk replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mx2-lw-eu.apache.org replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: smtp.northcoast.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mx1-lw-eu.apache.org replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mx1-lw-us.apache.org replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mx.theriver.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: 1.1.49-custom.16 replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mx.onlineconnections.com.au replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mx.northcoast.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: resources.jar replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mail.northcoast.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: smtp.onlineconnections.com.au replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mx2-lw-us.apache.org replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: smtp.cl.cam.ac.uk replaycode: Name error (3)
              Source: unknownNetwork traffic detected: DNS query count 56
              Source: global trafficTCP traffic: 192.168.2.10:49706 -> 166.24.27.20:1042
              Source: global trafficTCP traffic: 192.168.2.10:49855 -> 24.205.183.198:1042
              Source: global trafficTCP traffic: 192.168.2.10:49988 -> 15.4.95.41:1042
              Source: global trafficTCP traffic: 192.168.2.10:49990 -> 67.87.66.125:1042
              Source: global trafficTCP traffic: 192.168.2.10:49992 -> 15.54.158.198:1042
              Source: global trafficTCP traffic: 192.168.2.10:49993 -> 167.194.179.32:1042
              Source: global trafficTCP traffic: 192.168.2.10:49994 -> 68.111.42.143:1042
              Source: global trafficTCP traffic: 192.168.2.10:50010 -> 66.31.6.102:1042
              Source: global trafficTCP traffic: 192.168.2.10:50024 -> 65.40.210.50:1042
              Source: global trafficTCP traffic: 192.168.2.10:50038 -> 15.237.17.184:1042
              Source: global trafficTCP traffic: 192.168.2.10:50051 -> 138.35.112.217:1042
              Source: Joe Sandbox ViewIP Address: 66.226.69.43 66.226.69.43
              Source: global trafficTCP traffic: 192.168.2.10:49997 -> 103.168.172.222:25
              Source: global trafficTCP traffic: 192.168.2.10:49998 -> 51.81.61.70:25
              Source: global trafficTCP traffic: 192.168.2.10:50001 -> 138.197.213.185:25
              Source: global trafficTCP traffic: 192.168.2.10:50003 -> 194.104.110.22:25
              Source: global trafficTCP traffic: 192.168.2.10:50004 -> 65.108.131.22:25
              Source: global trafficTCP traffic: 192.168.2.10:50006 -> 64.29.151.236:25
              Source: global trafficTCP traffic: 192.168.2.10:50011 -> 51.81.61.71:25
              Source: global trafficTCP traffic: 192.168.2.10:50012 -> 202.12.124.217:25
              Source: global trafficTCP traffic: 192.168.2.10:50015 -> 104.248.224.170:25
              Source: global trafficTCP traffic: 192.168.2.10:50018 -> 194.104.108.22:25
              Source: global trafficTCP traffic: 192.168.2.10:50020 -> 20.172.142.146:25
              Source: global trafficTCP traffic: 192.168.2.10:50025 -> 51.81.232.218:25
              Source: global trafficTCP traffic: 192.168.2.10:50028 -> 103.168.172.47:25
              Source: global trafficTCP traffic: 192.168.2.10:50029 -> 128.232.119.3:25
              Source: global trafficTCP traffic: 192.168.2.10:50032 -> 45.60.132.119:25
              Source: global trafficTCP traffic: 192.168.2.10:50033 -> 66.226.69.43:25
              Source: global trafficTCP traffic: 192.168.2.10:50039 -> 147.135.98.120:25
              Source: global trafficTCP traffic: 192.168.2.10:50043 -> 17.57.155.25:25
              Source: global trafficTCP traffic: 192.168.2.10:50044 -> 74.125.206.26:25
              Source: global trafficTCP traffic: 192.168.2.10:50045 -> 199.189.200.28:25
              Source: global trafficTCP traffic: 192.168.2.10:50052 -> 209.86.122.183:25
              Source: global trafficTCP traffic: 192.168.2.10:50056 -> 142.250.153.26:25
              Source: global trafficTCP traffic: 192.168.2.10:50057 -> 17.57.152.5:25
              Source: unknownTCP traffic detected without corresponding DNS query: 166.24.27.20
              Source: unknownTCP traffic detected without corresponding DNS query: 166.24.27.20
              Source: unknownTCP traffic detected without corresponding DNS query: 166.24.27.20
              Source: unknownTCP traffic detected without corresponding DNS query: 166.24.27.20
              Source: unknownTCP traffic detected without corresponding DNS query: 24.205.183.198
              Source: unknownTCP traffic detected without corresponding DNS query: 24.205.183.198
              Source: unknownTCP traffic detected without corresponding DNS query: 24.205.183.198
              Source: unknownTCP traffic detected without corresponding DNS query: 15.4.95.41
              Source: unknownTCP traffic detected without corresponding DNS query: 15.4.95.41
              Source: unknownTCP traffic detected without corresponding DNS query: 15.4.95.41
              Source: unknownTCP traffic detected without corresponding DNS query: 15.4.95.41
              Source: unknownTCP traffic detected without corresponding DNS query: 67.87.66.125
              Source: unknownTCP traffic detected without corresponding DNS query: 67.87.66.125
              Source: unknownTCP traffic detected without corresponding DNS query: 67.87.66.125
              Source: unknownTCP traffic detected without corresponding DNS query: 67.87.66.125
              Source: unknownTCP traffic detected without corresponding DNS query: 15.54.158.198
              Source: unknownTCP traffic detected without corresponding DNS query: 15.54.158.198
              Source: unknownTCP traffic detected without corresponding DNS query: 15.54.158.198
              Source: unknownTCP traffic detected without corresponding DNS query: 15.54.158.198
              Source: unknownTCP traffic detected without corresponding DNS query: 167.194.179.32
              Source: unknownTCP traffic detected without corresponding DNS query: 167.194.179.32
              Source: unknownTCP traffic detected without corresponding DNS query: 167.194.179.32
              Source: unknownTCP traffic detected without corresponding DNS query: 167.194.179.32
              Source: unknownTCP traffic detected without corresponding DNS query: 68.111.42.143
              Source: unknownTCP traffic detected without corresponding DNS query: 68.111.42.143
              Source: unknownTCP traffic detected without corresponding DNS query: 68.111.42.143
              Source: unknownTCP traffic detected without corresponding DNS query: 68.111.42.143
              Source: unknownTCP traffic detected without corresponding DNS query: 66.31.6.102
              Source: unknownTCP traffic detected without corresponding DNS query: 66.31.6.102
              Source: unknownTCP traffic detected without corresponding DNS query: 66.31.6.102
              Source: unknownTCP traffic detected without corresponding DNS query: 66.31.6.102
              Source: unknownTCP traffic detected without corresponding DNS query: 15.237.17.184
              Source: unknownTCP traffic detected without corresponding DNS query: 15.237.17.184
              Source: unknownTCP traffic detected without corresponding DNS query: 15.237.17.184
              Source: unknownTCP traffic detected without corresponding DNS query: 15.237.17.184
              Source: unknownTCP traffic detected without corresponding DNS query: 138.35.112.217
              Source: unknownTCP traffic detected without corresponding DNS query: 138.35.112.217
              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00807983 Sleep,socket,connect,recv,htons,htons,htons,send,htons,recv,closesocket,1_2_00807983
              Source: global trafficDNS traffic detected: DNS query: pobox.com
              Source: global trafficDNS traffic detected: DNS query: bryson.demon.co.uk
              Source: global trafficDNS traffic detected: DNS query: theriver.com
              Source: global trafficDNS traffic detected: DNS query: src.dec.com
              Source: global trafficDNS traffic detected: DNS query: cl.cam.ac.uk
              Source: global trafficDNS traffic detected: DNS query: northcoast.com
              Source: global trafficDNS traffic detected: DNS query: netcom.com
              Source: global trafficDNS traffic detected: DNS query: in1-smtp.messagingengine.com
              Source: global trafficDNS traffic detected: DNS query: mx01.earthlink-vadesecure.net
              Source: global trafficDNS traffic detected: DNS query: mx1.forwardemail.net
              Source: global trafficDNS traffic detected: DNS query: openoffice.org
              Source: global trafficDNS traffic detected: DNS query: onlineconnections.com.au
              Source: global trafficDNS traffic detected: DNS query: mx1-lw-eu.apache.org
              Source: global trafficDNS traffic detected: DNS query: mx1-lw-us.apache.org
              Source: global trafficDNS traffic detected: DNS query: mx2-lw-eu.apache.org
              Source: global trafficDNS traffic detected: DNS query: de-smtp-inbound-2.mimecast.com
              Source: global trafficDNS traffic detected: DNS query: mx2-lw-us.apache.org
              Source: global trafficDNS traffic detected: DNS query: ismtp.sitestar.everyone.net
              Source: global trafficDNS traffic detected: DNS query: in2-smtp.messagingengine.com
              Source: global trafficDNS traffic detected: DNS query: mx02.earthlink-vadesecure.net
              Source: global trafficDNS traffic detected: DNS query: mx2.forwardemail.net
              Source: global trafficDNS traffic detected: DNS query: mx.openoffice.org
              Source: global trafficDNS traffic detected: DNS query: de-smtp-inbound-1.mimecast.com
              Source: global trafficDNS traffic detected: DNS query: mx03.earthlink-vadesecure.net
              Source: global trafficDNS traffic detected: DNS query: mx.cl.cam.ac.uk
              Source: global trafficDNS traffic detected: DNS query: mail.cl.cam.ac.uk
              Source: global trafficDNS traffic detected: DNS query: mail.openoffice.org
              Source: global trafficDNS traffic detected: DNS query: mx.onlineconnections.com.au
              Source: global trafficDNS traffic detected: DNS query: mx.theriver.com
              Source: global trafficDNS traffic detected: DNS query: mail.theriver.com
              Source: global trafficDNS traffic detected: DNS query: mail.onlineconnections.com.au
              Source: global trafficDNS traffic detected: DNS query: mx04.earthlink-vadesecure.net
              Source: global trafficDNS traffic detected: DNS query: smtp.openoffice.org
              Source: global trafficDNS traffic detected: DNS query: smtp.cl.cam.ac.uk
              Source: global trafficDNS traffic detected: DNS query: 1.1.49-custom.16
              Source: global trafficDNS traffic detected: DNS query: blakeembrey.com
              Source: global trafficDNS traffic detected: DNS query: sitnik.ru
              Source: global trafficDNS traffic detected: DNS query: mx01.mail.icloud.com
              Source: global trafficDNS traffic detected: DNS query: aspmx.l.google.com
              Source: global trafficDNS traffic detected: DNS query: mx.northcoast.com
              Source: global trafficDNS traffic detected: DNS query: mail.northcoast.com
              Source: global trafficDNS traffic detected: DNS query: smtp.northcoast.com
              Source: global trafficDNS traffic detected: DNS query: vision-media.ca
              Source: global trafficDNS traffic detected: DNS query: smtp.onlineconnections.com.au
              Source: global trafficDNS traffic detected: DNS query: smtp.theriver.com
              Source: global trafficDNS traffic detected: DNS query: mail.reg.ca
              Source: global trafficDNS traffic detected: DNS query: luiscouto.pt
              Source: global trafficDNS traffic detected: DNS query: tootallnate.net
              Source: global trafficDNS traffic detected: DNS query: alt1.aspmx.l.google.com
              Source: global trafficDNS traffic detected: DNS query: mx02.mail.icloud.com
              Source: global trafficDNS traffic detected: DNS query: cloudhead.net
              Source: global trafficDNS traffic detected: DNS query: mx1.mail.ovh.net
              Source: global trafficDNS traffic detected: DNS query: outlook.com
              Source: global trafficDNS traffic detected: DNS query: outlook-com.olc.protection.outlook.com
              Source: global trafficDNS traffic detected: DNS query: resources.jar
              Source: global trafficDNS traffic detected: DNS query: cryptsoft.com
              Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
              Source: lsass.exe, 0000000C.00000002.3723250343.000000000018D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://js.foundation
              Source: lsass.exe, 0000000C.00000002.3723250343.000000000018D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://mochajs.org

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Yara detected MyDoom
              Source: Yara matchFile source: 12.2.lsass.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.Message.com.exe.800000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.3724542666.0000000000801000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.1532213850.0000000000801000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Message.com.exe PID: 7880, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: lsass.exe PID: 1384, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Message.com.exeFile created: C:\Windows\lsass.exeJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeFile created: C:\Windows\lsass.exeJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeFile created: C:\Windows\lsass.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeFile deleted: C:\Windows\lsass.exeJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7880 -s 1400
              Source: Message.com.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: Message.com.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: lsass.exe.1.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp5668.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmpF92C.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmpF92B.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmpF92D.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp10DD.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmpE1F6.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp279B.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp235D.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp1D44.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmpEE11.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp695C.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp5D24.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp89DD.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp8690.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp623C.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp8333.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmp8334.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: tmpCAD8.tmp.12.drStatic PE information: Section: UPX1 ZLIB complexity 0.9924107142857143
              Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@3/57@76/37
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7880
              Source: C:\Windows\lsass.exeMutant created: \Sessions\1\BaseNamedObjects\
              Source: C:\Users\user\Desktop\Message.com.exeFile created: C:\Users\user\AppData\Local\Temp\Ln20kJ4f.txtJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Message.com.exeVirustotal: Detection: 91%
              Source: Message.com.exeReversingLabs: Detection: 97%
              Source: C:\Users\user\Desktop\Message.com.exeFile read: C:\Users\user\Desktop\Message.com.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Message.com.exe "C:\Users\user\Desktop\Message.com.exe"
              Source: C:\Users\user\Desktop\Message.com.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7880 -s 1400
              Source: unknownProcess created: C:\Windows\lsass.exe "C:\Windows\lsass.exe"
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\lsass.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00803108 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,1_2_00803108
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00807EE0 push eax; ret 1_2_00807F0E
              Source: C:\Windows\lsass.exeCode function: 12_2_00807EE0 push eax; ret 12_2_00807F0E
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Persistence and Installation Behavior

              barindex
              Drops PE files with benign system names
              Source: C:\Users\user\Desktop\Message.com.exeFile created: C:\Windows\lsass.exeJump to dropped file
              Drops executables to the windows directory (C:\Windows) and starts them
              Source: unknownExecutable created and started: C:\Windows\lsass.exe
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp235D.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8333.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF92C.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE1F6.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF92D.tmpJump to dropped file
              Source: C:\Users\user\Desktop\Message.com.exeFile created: C:\Windows\lsass.exeJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5D24.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp279B.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8334.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8690.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp89DD.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp623C.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp10DD.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5668.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF92B.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1D44.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEE11.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmp695C.tmpJump to dropped file
              Source: C:\Windows\lsass.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCAD8.tmpJump to dropped file
              Source: C:\Users\user\Desktop\Message.com.exeFile created: C:\Windows\lsass.exeJump to dropped file
              Source: C:\Users\user\Desktop\Message.com.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run TraybarJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run TraybarJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking mutex)
              Source: C:\Windows\lsass.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_12-2044
              Source: C:\Windows\lsass.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_12-2044
              Source: C:\Users\user\Desktop\Message.com.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-2064
              Source: C:\Windows\lsass.exeWindow / User API: threadDelayed 4058Jump to behavior
              Source: C:\Windows\lsass.exeWindow / User API: threadDelayed 4987Jump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_1-2590
              Source: C:\Windows\lsass.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-2869
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp235D.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp8333.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpF92C.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpE1F6.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpF92D.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp5D24.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp279B.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp8334.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp8690.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp89DD.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp623C.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp10DD.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp5668.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp1D44.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpF92B.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpEE11.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmpCAD8.tmpJump to dropped file
              Source: C:\Windows\lsass.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp695C.tmpJump to dropped file
              Source: C:\Users\user\Desktop\Message.com.exe TID: 7884Thread sleep time: -99000s >= -30000sJump to behavior
              Source: C:\Windows\lsass.exe TID: 2968Thread sleep count: 4058 > 30Jump to behavior
              Source: C:\Windows\lsass.exe TID: 2968Thread sleep time: -3449300s >= -30000sJump to behavior
              Source: C:\Windows\lsass.exe TID: 1516Thread sleep count: 42 > 30Jump to behavior
              Source: C:\Windows\lsass.exe TID: 1516Thread sleep count: 44 > 30Jump to behavior
              Source: C:\Windows\lsass.exe TID: 1516Thread sleep count: 115 > 30Jump to behavior
              Source: C:\Windows\lsass.exe TID: 1516Thread sleep count: 269 > 30Jump to behavior
              Source: C:\Windows\lsass.exe TID: 2968Thread sleep count: 4987 > 30Jump to behavior
              Source: C:\Windows\lsass.exe TID: 2968Thread sleep time: -4238950s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h1_2_00805247
              Source: C:\Windows\lsass.exeCode function: 12_2_00805247 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00805288h12_2_00805247
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,1_2_00804D32
              Source: C:\Windows\lsass.exeCode function: 12_2_00804D32 lstrcat,Sleep,lstrcpy,lstrcpy,CharLowerA,strstr,strstr,strstr,strstr,strstr,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose,12_2_00804D32
              Source: C:\Users\user\Desktop\Message.com.exeThread delayed: delay time: 99000Jump to behavior
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
              Source: C:\Windows\lsass.exeFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
              Source: Amcache.hve.10.drBinary or memory string: VMware
              Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: lsass.exe, 0000000C.00000002.3723551128.0000000000612000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Amcache.hve.10.drBinary or memory string: vmci.sys
              Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
              Source: Message.com.exe, 00000001.00000002.1531876401.000000000042E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
              Source: Amcache.hve.10.drBinary or memory string: VMware20,1
              Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\Desktop\Message.com.exeAPI call chain: ExitProcess graph end nodegraph_1-2014
              Source: C:\Windows\lsass.exeAPI call chain: ExitProcess graph end nodegraph_12-2030
              Source: C:\Users\user\Desktop\Message.com.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,LdrInitializeThunk,LdrInitializeThunk,accept,Sleep,free,1_2_00807D81
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00803108 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState,1_2_00803108
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_0080418A strlen,lstrcmpiA,lstrlen,GetProcessHeap,RtlAllocateHeap,memset,GetTickCount,_mbscpy,1_2_0080418A
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00802DB3 lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,1_2_00802DB3
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00802DB3 lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA,1_2_00802DB3
              Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,1_2_00802C72
              Source: C:\Windows\lsass.exeCode function: 12_2_00802C72 FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetFileAttributesA,CreateThread,CreateThread,Sleep,CreateThread,Sleep,CreateThread,Sleep,12_2_00802C72
              Source: C:\Users\user\Desktop\Message.com.exeCode function: 1_2_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,LdrInitializeThunk,LdrInitializeThunk,accept,Sleep,free,1_2_00807D81
              Source: C:\Windows\lsass.exeCode function: 12_2_00807D81 malloc,memset,htons,htons,socket,socket,bind,closesocket,Sleep,htons,socket,bind,listen,CreateThread,CreateThread,malloc,memset,accept,Sleep,free,12_2_00807D81

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Native API              		1
              Registry Run Keys / Startup Folder              		1
              Process Injection              		22
              Masquerading              		OS Credential Dumping12
              System Time Discovery              		Remote Services1
              Email Collection              		1
              Non-Standard Port              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              Registry Run Keys / Startup Folder              		21
              Virtualization/Sandbox Evasion              		LSASS Memory131
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		1
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Obfuscated Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture11
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Software Packing              		LSA Secrets2
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials2
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              File Deletion              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1608284 Sample: Message.com.exe Startdate: 06/02/2025 Architecture: WINDOWS Score: 100 31 tootallnate.net 2->31 33 theriver.com 2->33 35 56 other IPs or domains 2->35 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 9 other signatures 2->53 7 lsass.exe 559 2->7         started        12 Message.com.exe 1 4 2->12         started        signatures3 process4 dnsIp5 37 onlineconnections.com.au 192.254.190.168, 25 UNIFIEDLAYER-AS-1US United States 7->37 39 theriver.com 20.172.142.146, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 7->39 45 36 other IPs or domains 7->45 17 C:\Users\user\AppData\Local\...\tmpF92D.tmp, PE32 7->17 dropped 19 C:\Users\user\AppData\Local\...\tmpF92C.tmp, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmpF92B.tmp, PE32 7->21 dropped 27 33 other malicious files 7->27 dropped 55 Multi AV Scanner detection for dropped file 7->55 57 Found evasive API chain (may stop execution after checking mutex) 7->57 41 166.24.27.20, 1042, 49706 CSC-IGN-AMERUS United States 12->41 43 24.205.183.198, 1042, 49855 CHARTER-20115US United States 12->43 23 C:\Windows\lsass.exe, PE32 12->23 dropped 25 C:\Windows\lsass.exe:Zone.Identifier, ASCII 12->25 dropped 59 Drops PE files with benign system names 12->59 14 WerFault.exe 19 16 12->14         started        file6 signatures7 process8 file9 29 C:\ProgramData\Microsoft\...\Report.wer, Unicode 14->29 dropped

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.