Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZZZ.exe

Overview

General Information

Sample name:ZZZ.exe
Analysis ID:1628816
MD5:251e30e29faa506abc52c7e33fdcc4c4
SHA1:a4ac1478c5d6d6891a0e1b9b69f5f22b3f5d3885
SHA256:7050cc8d9b71adb30ccacede8a630923cc78c7d8e6c66fdbc86eb63c24f92caa
Tags:exeuser-skocherhan
Infos:

Detection

AveMaria, Clipboard Hijacker, StormKitty
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AveMaria stealer
Yara detected Clipboard Hijacker
Yara detected StormKitty Stealer
Check if machine is in data center or colocation facility
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ZZZ.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\ZZZ.exe" MD5: 251E30E29FAA506ABC52C7E33FDCC4C4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Ave Maria, AveMariaRAT, avemariaInformation stealer which uses AutoIT for wrapping.
  • Anunak
https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ZZZ.exeMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
  • 0x45b84:$x2: https://github.com/LimerBoy/StormKitty
  • 0x449cd:$x3: StormKitty
  • 0x4551c:$x3: StormKitty
  • 0x45b74:$x3: StormKitty
  • 0x45ba0:$x3: StormKitty

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4482508613.0000000003910000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
  • 0x67181:$x2: https://github.com/LimerBoy/StormKitty
  • 0x23ac:$x3: StormKitty
  • 0x652c1:$x3: StormKitty
  • 0x67171:$x3: StormKitty
  • 0x6719d:$x3: StormKitty
00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
    00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Clipboard_Hijacker_4Yara detected Clipboard HijackerJoe Security
        00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.ZZZ.exe.fa0000.0.unpackMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
          • 0x45b84:$x2: https://github.com/LimerBoy/StormKitty
          • 0x449cd:$x3: StormKitty
          • 0x4551c:$x3: StormKitty
          • 0x45b74:$x3: StormKitty
          • 0x45ba0:$x3: StormKitty
          0.2.ZZZ.exe.3910000.1.raw.unpackMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
          • 0x67181:$x2: https://github.com/LimerBoy/StormKitty
          • 0x23ac:$x3: StormKitty
          • 0x652c1:$x3: StormKitty
          • 0x67171:$x3: StormKitty
          • 0x6719d:$x3: StormKitty
          0.2.ZZZ.exe.3910000.1.unpackMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
          • 0x64381:$x2: https://github.com/LimerBoy/StormKitty
          • 0x5ac:$x3: StormKitty
          • 0x624c1:$x3: StormKitty
          • 0x64371:$x3: StormKitty
          • 0x6439d:$x3: StormKitty

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-04T06:33:30.831083+010020449651A Network Trojan was detected192.168.2.549706185.199.109.133443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-04T06:33:30.831083+010028033053Unknown Traffic192.168.2.549706185.199.109.133443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: ZZZ.exeAvira: detected
          Multi AV Scanner detection for submitted file
          Source: ZZZ.exeVirustotal: Detection: 75%Perma Link
          Source: ZZZ.exeReversingLabs: Detection: 76%
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ZZZ.exe PID: 6352, type: MEMORYSTR
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
          Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.5:49705 version: TLS 1.2
          Source: ZZZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2044965 - Severity 1 - ET MALWARE StormKitty Download Request With Minimal Headers : 192.168.2.5:49706 -> 185.199.109.133:443
          Source: global trafficTCP traffic: 192.168.2.5:50788 -> 162.159.36.2:53
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.com
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownDNS query: name: ip-api.com
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 185.199.109.133:443
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.com
          Source: global trafficHTTP traffic detected: GET /LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: ip-api.com
          Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 8F70:28B767:15245B:1BEA9D:67C690A6Accept-Ranges: bytesDate: Tue, 04 Mar 2025 05:33:28 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740077-EWRX-Cache: MISSX-Cache-Hits: 0X-Timer: S1741066408.147151,VS0,VE10Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: f64fa7dca3157116c772fb3dca470eeacc07fb0dExpires: Tue, 04 Mar 2025 05:38:28 GMTSource-Age: 0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 8F70:28B767:15245B:1BEA9D:67C690A6Accept-Ranges: bytesDate: Tue, 04 Mar 2025 05:33:30 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740026-EWRX-Cache: HITX-Cache-Hits: 1X-Timer: S1741066411.783168,VS0,VE1Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 18894c5105b51d21133c89e1038d43048551abc8Expires: Tue, 04 Mar 2025 05:38:30 GMTSource-Age: 3
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: 8F70:28B767:15245B:1BEA9D:67C690A6Accept-Ranges: bytesDate: Tue, 04 Mar 2025 05:33:33 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740034-EWRX-Cache: HITX-Cache-Hits: 1X-Timer: S1741066413.352028,VS0,VE1Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 9ebcdb84edf8e9e16f07a1117d3cbad2e1966f7cExpires: Tue, 04 Mar 2025 05:38:33 GMTSource-Age: 5
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000004141000.00000004.00000800.00020000.00000000.sdmp, ZZZ.exe, 00000000.00000002.4482618110.00000000041CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000004141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=h
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000004141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000004263000.00000004.00000800.00020000.00000000.sdmp, ZZZ.exe, 00000000.00000002.4482618110.00000000042D6000.00000004.00000800.00020000.00000000.sdmp, ZZZ.exe, 00000000.00000002.4482618110.0000000004285000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000004141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: ZZZ.exeString found in binary or memory: https://github.com/LimerBoy/StormKitty
          Source: ZZZ.exe, 00000000.00000002.4482618110.00000000042D6000.00000004.00000800.00020000.00000000.sdmp, ZZZ.exe, 00000000.00000002.4482618110.0000000004285000.00000004.00000800.00020000.00000000.sdmp, ZZZ.exe, 00000000.00000002.4482618110.000000000424F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.5:49705 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ZZZ.exe PID: 6352, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: ZZZ.exe, type: SAMPLEMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 0.0.ZZZ.exe.fa0000.0.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 0.2.ZZZ.exe.3910000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 0.2.ZZZ.exe.3910000.1.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 00000000.00000002.4482508613.0000000003910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects StormKitty infostealer Author: ditekSHen
          Source: 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
          Source: Process Memory Space: ZZZ.exe PID: 6352, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
          Source: C:\Users\user\Desktop\ZZZ.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F305680_2_00007FF848F30568
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F3089D0_2_00007FF848F3089D
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F3B7450_2_00007FF848F3B745
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F38E970_2_00007FF848F38E97
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F336D30_2_00007FF848F336D3
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F305000_2_00007FF848F30500
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F3B93E0_2_00007FF848F3B93E
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F335F20_2_00007FF848F335F2
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F331F20_2_00007FF848F331F2
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F3E4110_2_00007FF848F3E411
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F3B8F40_2_00007FF848F3B8F4
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F377440_2_00007FF848F37744
          Source: ZZZ.exeStatic PE information: No import functions for PE file found
          Source: ZZZ.exe, 00000000.00000002.4482508613.0000000003910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameStormKitty.exe* vs ZZZ.exe
          Source: ZZZ.exeBinary or memory string: OriginalFilenameStormKitty.exe* vs ZZZ.exe
          Source: ZZZ.exe, type: SAMPLEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 0.0.ZZZ.exe.fa0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 0.2.ZZZ.exe.3910000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 0.2.ZZZ.exe.3910000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 00000000.00000002.4482508613.0000000003910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
          Source: 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
          Source: Process Memory Space: ZZZ.exe PID: 6352, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
          Source: ZZZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@2/2
          Source: C:\Users\user\Desktop\ZZZ.exeFile created: C:\Users\user\AppData\Local\3b4f422e560a993ae537dc8128f83b85Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeMutant created: NULL
          Source: C:\Users\user\Desktop\ZZZ.exeMutant created: \Sessions\1\BaseNamedObjects\09B668B429A4BF3829B4833B450D1584
          Source: C:\Users\user\Desktop\ZZZ.exeFile created: C:\Users\user\AppData\Local\Temp\StormKitty-Latest.logJump to behavior
          Source: ZZZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: ZZZ.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\ZZZ.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: ZZZ.exeVirustotal: Detection: 75%
          Source: ZZZ.exeReversingLabs: Detection: 76%
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: ZZZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: ZZZ.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: ZZZ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F3B234 push 00000019h; ret 0_2_00007FF848F3B236
          Source: C:\Users\user\Desktop\ZZZ.exeCode function: 0_2_00007FF848F3731C pushad ; ret 0_2_00007FF848F373CD
          Source: ZZZ.exeStatic PE information: section name: .text entropy: 7.985393829764091
          Source: C:\Users\user\Desktop\ZZZ.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Check if machine is in data center or colocation facility
          Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000004243000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\ZZZ.exeMemory allocated: 38D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeMemory allocated: 1BDC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599765Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599656Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599546Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599432Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599303Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599185Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599078Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598968Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598859Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598750Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598640Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598531Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598421Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598312Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598203Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598093Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597984Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597875Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597754Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597640Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597531Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597421Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597312Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597203Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597093Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596984Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596875Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596765Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596656Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596547Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596437Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596328Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596218Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596109Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596000Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595890Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595781Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595671Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595562Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595453Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595343Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595234Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595125Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595015Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 594906Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 594796Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 594687Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 594578Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeWindow / User API: threadDelayed 1348Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeWindow / User API: threadDelayed 8491Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeAPI coverage: 6.7 %
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -24903104499507879s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -599890s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -599765s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -599656s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -599546s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -599432s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -599303s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -599185s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -599078s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -598968s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -598859s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -598750s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -598640s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -598531s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -598421s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -598312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -598203s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -598093s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -597984s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -597875s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -597754s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -597640s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -597531s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -597421s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -597312s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -597203s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -597093s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -596984s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -596875s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -596765s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -596656s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -596547s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -596437s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -596328s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -596218s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -596109s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -596000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -595890s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -595781s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -595671s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -595562s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -595453s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -595343s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -595234s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -595125s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -595015s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -594906s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -594796s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -594687s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exe TID: 2928Thread sleep time: -594578s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\ZZZ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599765Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599656Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599546Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599432Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599303Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599185Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 599078Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598968Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598859Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598750Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598640Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598531Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598421Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598312Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598203Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 598093Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597984Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597875Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597754Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597640Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597531Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597421Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597312Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597203Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 597093Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596984Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596875Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596765Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596656Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596547Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596437Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596328Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596218Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596109Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 596000Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595890Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595781Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595671Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595562Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595453Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595343Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595234Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595125Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 595015Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 594906Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 594796Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 594687Jump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeThread delayed: delay time: 594578Jump to behavior
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000004243000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VirtualMachine:
          Source: ZZZ.exe, 00000000.00000002.4486114505.000000001EC44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\ZZZ.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeQueries volume information: C:\Users\user\Desktop\ZZZ.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ZZZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ZZZ.exe PID: 6352, type: MEMORYSTR
          Yara detected Clipboard Hijacker
          Source: Yara matchFile source: 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ZZZ.exe PID: 6352, type: MEMORYSTR
          Yara detected StormKitty Stealer
          Source: Yara matchFile source: 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ZZZ.exe PID: 6352, type: MEMORYSTR
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx5
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets
          Source: ZZZ.exe, 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
          Source: Yara matchFile source: 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ZZZ.exe PID: 6352, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ZZZ.exe PID: 6352, type: MEMORYSTR
          Yara detected StormKitty Stealer
          Source: Yara matchFile source: 00000000.00000002.4482618110.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ZZZ.exe PID: 6352, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory331
          Security Software Discovery          		Remote Desktop Protocol1
          Data from Local System          		3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)161
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
          Obfuscated Files or Information          		NTDS161
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture4
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Software Packing          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync23
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.