Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
Analysis ID:	1632574
MD5:	4864dd1c69d3fa10d608c2483be1219a
SHA1:	7cf739e0812972172cb321335aeb33cc527f08aa
SHA256:	a56fc16a195fe09b8a210ce413f2519b52a13acc3709ce1528e616da0037506f
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Joe Sandbox ML detected suspicious sample

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe" MD5: 4864DD1C69D3FA10D608C2483BE1219A)

Extended-Training-Mode.exe (PID: 8160 cmdline: "C:\Users\user\AppData\Local\Temp\\Extended-Training-Mode.exe" MD5: D1B0632E0B415DADA059CD8917FF9096)

conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7224 cmdline: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

curl.exe (PID: 7260 cmdline: curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

cleanup

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, CommandLine: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\\Extended-Training-Mode.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe, ParentProcessId: 8160, ParentProcessName: Extended-Training-Mode.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, ProcessId: 7224, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, CommandLine: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\\Extended-Training-Mode.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe, ParentProcessId: 8160, ParentProcessName: Extended-Training-Mode.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest, ProcessId: 7224, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Virustotal: Detection: 40%			Perma Link
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	ReversingLabs: Detection: 34%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 140.82.121.6:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.4:49722 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\Extended-Training-Mode-DLL.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode.exe.0.dr
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb)) source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Source: Joe Sandbox View	IP Address: 140.82.121.5 140.82.121.5
Source: Joe Sandbox View	IP Address: 140.82.121.6 140.82.121.6

Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edge HTTP/1.1User-Agent: GitHubAPIHost: api.github.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest HTTP/1.1Host: api.github.comUser-Agent: curl/7.83.1Accept: /

Source: global traffic

DNS traffic detected: DNS query: api.github.com

Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gi
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gith
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296614135.00000000004F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://api.github
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296745208.0000000000745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000003.1290769224.0000000000774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/178534780
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/178534780/assets
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1297343013.0000000000774000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1297343013.0000000000774000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778/assets
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/assets/197093556
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1297343013.0000000000774000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/assets/233845108
Source: curl.exe, 00000009.00000002.1329557755.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328736616.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest
Source: curl.exe, 00000009.00000002.1329557755.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest-
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest2
Source: Extended-Training-Mode.exe, 00000006.00000003.1334762807.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestC:
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestI
Source: curl.exe, 00000009.00000002.1329557755.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1329457040.0000000002F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestWinsta0
Source: curl.exe, 00000009.00000002.1329557755.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1329457040.0000000002F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latestcurl
Source: Extended-Training-Mode.exe.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latesthttps://github.c
Source: curl.exe, 00000009.00000002.1329557755.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latesto
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296745208.0000000000745000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296745208.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1297343013.0000000000774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edge
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296745208.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edge$
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296745208.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edge:
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296745208.0000000000745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edge=
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edgeInte
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000003.1290769224.0000000000774000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1297343013.0000000000774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edgeM
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296745208.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edgec
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296745208.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/tags/bleeding-edgeh
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1297343013.0000000000774000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/tarball/bleeding-edge
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1327921065.0000000003114000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328330523.0000000003114000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328121147.0000000003114000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/tarball/v2.0
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/tarball/v2.0534780/asset
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1297343013.0000000000774000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/zipball/bleeding-edge
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1327921065.0000000003114000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328330523.0000000003114000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328121147.0000000003114000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/zipball/v2.0
Source: curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth
Source: curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/events
Source: curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/followers
Source: curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/following
Source: curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/gists
Source: curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/orgs
Source: curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/received_events
Source: curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/repos
Source: curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/starred
Source: curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.github.com/users/fangdreth/subscriptions
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/events
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/followers
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/following
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/gists
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/orgs
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/received_events
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/repos
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/starred
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://api.github.com/users/github-actions%5Bbot%5D/subscriptions
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296614135.00000000004F8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://api.github/use
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://avatars.githubusercontent.com/in/15368?v=4
Source: curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubusercontent.com/u/61390904?v=4
Source: bleeding-edge[1].json.0.dr	String found in binary or memory: https://github.com/apps/github-actions
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fangdreth
Source: curl.exe, 00000009.00000002.1329557755.00000000030B8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328736616.00000000030B0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328808912.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Train
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp, Extended-Training-Mode.exe, 00000006.00000002.3728270070.0000000000D3D000.00000002.00000001.01000000.00000006.sdmp, Extended-Training-Mode.exe, 00000006.00000000.1295455045.0000000000D3D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, ConDrv.6.dr, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, bleeding-edge[1].json.0.dr	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/bleeding-edge/MBAACC-Ex
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1327921065.0000000003114000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.1329764971.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328330523.0000000003114000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328065709.00000000030E5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328435145.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328660390.00000000030D5000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.1328121147.0000000003114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/v2.0/README.md
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1297343013.0000000000774000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/tag/bleeding-edge
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fangdrethExt
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fangdrethont
Source: Extended-Training-Mode.exe, 00000006.00000002.3729242894.0000000001E2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fangdrethps:
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1297343013.0000000000774000.00000004.00000020.00020000.00000000.sdmp, bleeding-edge[1].json.0.dr	String found in binary or memory: https://uploads.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/203206778/assets

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 140.82.121.6:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.5:443 -> 192.168.2.4:49722 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Resource name: EXE type: PE32 executable (console) Intel 80386, for MS Windows
Source: Extended-Training-Mode.exe.0.dr	Static PE information: Resource name: DLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@8/5@2/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\bleeding-edge[1].json

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

File created: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode-Launcher.log

Jump to behavior

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Virustotal: Detection: 40%
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	ReversingLabs: Detection: 34%

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: \Extended-Training-Mode-Launcher.log
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: https://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/bleeding-edge/MBAACC-Extended-Training-Mode-Launcher.
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: @Unknown exceptionbad array new lengthstring too longbad cast\Extended-Training-Mode-Launcher.loglog inited
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: Downloaderhttps://github.com/fangdreth/MBAACC-Extended-Training-Mode/releases/download/bleeding-edge/MBAACC-Extended-Training-Mode-Launcher.exefailed to open updated file for writing
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	String found in binary or memory: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb))

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Process created: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe "C:\Users\user\AppData\Local\Temp\\Extended-Training-Mode.exe"
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Process created: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe "C:\Users\user\AppData\Local\Temp\\Extended-Training-Mode.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: msvcp140_atomic_wait.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static file information: File size 12606976 > 1048576

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xbf1600

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\Extended-Training-Mode-DLL.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode-DLL.dll.6.dr, Extended-Training-Mode.exe.0.dr
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, Extended-Training-Mode.exe.0.dr
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb)) source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe
Source:	Binary string: D:\a\MBAACC-Extended-Training-Mode\MBAACC-Extended-Training-Mode\Release\MBAACC-Extended-Training-Mode-Launcher.pdb source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Extended-Training-Mode-DLL.dll.6.dr

Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	File created: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode-DLL.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	File created: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Window / User API: threadDelayed 3033	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Window / User API: threadDelayed 6966	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 9075	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode-DLL.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe TID: 8164	Thread sleep time: -303300s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe TID: 8164	Thread sleep time: -696600s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296745208.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296745208.000000000075F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe, 00000000.00000002.1296745208.0000000000745000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: curl.exe, 00000009.00000003.1328736616.00000000030B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Extended-Training-Mode.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -s https://api.github.com/repos/fangdreth/MBAACC-Extended-Training-Mode/releases/latest			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Code function: 0_2_00E9D133 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E9D133

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe