Loading ...

Play interactive tourEdit tour

Analysis Report 39PAYMENT000M103_signed.bat

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:167258
Start date:25.08.2019
Start time:18:35:26
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 33s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:39PAYMENT000M103_signed.bat (renamed file extension from bat to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:29
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@30/5@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 4.5% (good quality ratio 1.8%)
  • Quality average: 24.8%
  • Quality standard deviation: 33.7%
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 368
  • Number of non-executed functions: 13
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe
  • Execution Graph export aborted for target 39PAYMENT000M103_signed.exe, PID 4948 because it is empty
  • Execution Graph export aborted for target MyApp.exe, PID 3076 because it is empty
  • Execution Graph export aborted for target filename1.exe, PID 2484 because there are no executed function
  • Execution Graph export aborted for target filename1.exe, PID 4792 because it is empty
  • Execution Graph export aborted for target filename1.exe, PID 5076 because it is empty
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Agent Tesla
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Management Instrumentation111Registry Run Keys / Startup Folder11Process Injection11Software Packing11Credential Dumping2Query Registry1Application Deployment SoftwareInput Capture111Data Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Input Capture111Process Discovery2Remote ServicesData from Local System2Exfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection11Credentials in Registry1Application Window Discovery1Windows Remote ManagementClipboard Data1Automated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingNTFS File Attributes1Credentials in Files1Account Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSecurity Software Discovery21Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionFile and Directory Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Information Discovery112Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\filename1.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: 39PAYMENT000M103_signed.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 17.2.filename1.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: filename1.exe, 00000011.00000002.1024682880.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: GMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: filename1.exe, 0000000C.00000002.799560601.0000000000A20000.00000004.00000020.sdmpString found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook)
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: kFMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: kFMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365La6 equals www.hotmail.com (Hotmail)
Source: filename1.exe, 00000011.00000003.901039257.00000000061F5000.00000004.00000001.sdmpString found in binary or memory: weiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Urls found in memory or binary dataShow sources
Source: filename1.exe, 0000000C.00000002.800178965.00000000026E0000.00000004.00000001.sdmp, filename1.exe, 00000011.00000003.865904984.00000000061D5000.00000004.00000001.sdmp, MyApp.exe, 00000017.00000002.1004667696.0000000002760000.00000004.00000001.sdmp, MyApp.exe, 00000018.00000002.1029635241.0000000002670000.00000004.00000001.sdmp, 39PAYMENT000M103_signed.exeString found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl02
Source: filename1.exe, 00000011.00000003.865904984.00000000061D5000.00000004.00000001.sdmp, 39PAYMENT000M103_signed.exeString found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: filename1.exe, 0000000C.00000002.800178965.00000000026E0000.00000004.00000001.sdmp, filename1.exe, 00000011.00000003.865904984.00000000061D5000.00000004.00000001.sdmp, MyApp.exe, 00000017.00000002.1004667696.0000000002760000.00000004.00000001.sdmp, MyApp.exe, 00000018.00000002.1029635241.0000000002670000.00000004.00000001.sdmp, 39PAYMENT000M103_signed.exeString found in binary or memory: http://ocsp.thawte.com0
Source: filename1.exe, 00000011.00000002.1024682880.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLa6
Source: filename1.exe, 00000011.00000002.1024682880.00000000061D0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpim.LMEM
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php?produkt=dsl
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: https://tarifrechner.heise.de/widget.php?produkt=dslLa6
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: https://www.heise.de/
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpString found in binary or memory: https://www.heise.de/La6

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hookShow sources
Source: C:\Users\user\AppData\Roaming\filename1.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\filename1.exeJump to behavior
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: filename1.exe, 0000000C.00000002.799560601.0000000000A20000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\AppData\Roaming\filename1.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

System Summary:

barindex
Yara detected Agent Tesla TrojanShow sources
Source: Yara matchFile source: 00000011.00000002.1021414696.0000000002C50000.00000004.00000001.sdmp, type: MEMORY
.NET source code contains very large array initializationsShow sources
Source: 39PAYMENT000M103_signed.exe, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 0.0.39PAYMENT000M103_signed.exe.590000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 0.2.39PAYMENT000M103_signed.exe.590000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: filename1.exe.8.dr, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 12.0.filename1.exe.290000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 12.2.filename1.exe.290000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: MyApp.exe.17.dr, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 17.2.filename1.exe.810000.1.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 17.0.filename1.exe.810000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 18.2.filename1.exe.650000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 18.0.filename1.exe.650000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 19.0.filename1.exe.190000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 19.2.filename1.exe.190000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 23.0.MyApp.exe.250000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 23.2.MyApp.exe.250000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 24.0.MyApp.exe.280000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Source: 24.2.MyApp.exe.280000.0.unpack, ?/atv2yeeKktu002bidasI18wTXS55unNd.csLarge array initialization: .cctor: array initializer size 129024
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: 39PAYMENT000M103_signed.exe
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4664:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:208:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2192:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4264:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_00F8C7D00_2_00F8C7D0
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_00F82AB00_2_00F82AB0
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_00F8B88C0_2_00F8B88C
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_00F8B84C0_2_00F8B84C
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_00F8C7C00_2_00F8C7C0
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_00F83DBF0_2_00F83DBF
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC114017_2_00FC1140
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCE49017_2_00FCE490
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC044817_2_00FC0448
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCE87917_2_00FCE879
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCAB1017_2_00FCAB10
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC8D2C17_2_00FC8D2C
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCAEF017_2_00FCAEF0
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC7E8817_2_00FC7E88
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC7E8817_2_00FC7E88
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC909F17_2_00FC909F
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC703E17_2_00FC703E
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC901317_2_00FC9013
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC91B917_2_00FC91B9
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC917217_2_00FC9172
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC912B17_2_00FC912B
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC111017_2_00FC1110
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC42B017_2_00FC42B0
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC928E17_2_00FC928E
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC924717_2_00FC9247
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC920017_2_00FC9200
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCA3EB17_2_00FCA3EB
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC93C717_2_00FC93C7
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC937D17_2_00FC937D
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC931D17_2_00FC931D
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC94EA17_2_00FC94EA
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC94A017_2_00FC94A0
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCE48017_2_00FCE480
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC945617_2_00FC9456
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC95C317_2_00FC95C3
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC953417_2_00FC9534
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC969C17_2_00FC969C
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC965217_2_00FC9652
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC48D617_2_00FC48D6
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC485217_2_00FC4852
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCE91217_2_00FCE912
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCE90917_2_00FCE909
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC9BCD17_2_00FC9BCD
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC9B8317_2_00FC9B83
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC9CAB17_2_00FC9CAB
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC9C6117_2_00FC9C61
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC9C1717_2_00FC9C17
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC8DDB17_2_00FC8DDB
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC8D9417_2_00FC8D94
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC8D4D17_2_00FC8D4D
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC8EF717_2_00FC8EF7
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCAEE017_2_00FCAEE0
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC8E6917_2_00FC8E69
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC8E2217_2_00FC8E22
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC6E1817_2_00FC6E18
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC6E0F17_2_00FC6E0F
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC8FCC17_2_00FC8FCC
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC8F8517_2_00FC8F85
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_0540B66817_2_0540B668
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_0540511817_2_05405118
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_0540905117_2_05409051
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_0540C28017_2_0540C280
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_0540E82817_2_0540E828
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_05404D3017_2_05404D30
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_0540B9B017_2_0540B9B0
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 18_2_00EF2AB018_2_00EF2AB0
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 18_2_00EF3DBF18_2_00EF3DBF
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeCode function: 23_2_009FC7D023_2_009FC7D0
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeCode function: 23_2_009F2AB023_2_009F2AB0
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeCode function: 23_2_009F4FE023_2_009F4FE0
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeCode function: 23_2_009FB88C23_2_009FB88C
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeCode function: 23_2_009FC7C023_2_009FC7C0
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeCode function: 23_2_009F3DBF23_2_009F3DBF
Sample file is different than original file name gathered from version infoShow sources
Source: 39PAYMENT000M103_signed.exeBinary or memory string: OriginalFilename vs 39PAYMENT000M103_signed.exe
Source: 39PAYMENT000M103_signed.exe, 00000000.00000002.685140821.00000000028A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenewstub.dll0 vs 39PAYMENT000M103_signed.exe
Source: 39PAYMENT000M103_signed.exe, 00000000.00000002.683953258.0000000000592000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePAYMENT000M103.exe, vs 39PAYMENT000M103_signed.exe
Source: 39PAYMENT000M103_signed.exe, 00000000.00000002.688687642.0000000003DC8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs 39PAYMENT000M103_signed.exe
Source: 39PAYMENT000M103_signed.exe, 00000000.00000002.688687642.0000000003DC8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOZQSORYWABARJQTVPFJGUHSWNWBBNOYBWFFVUKXS_20190818100141146.exe4 vs 39PAYMENT000M103_signed.exe
Source: 39PAYMENT000M103_signed.exe, 00000000.00000002.691704151.00000000059C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 39PAYMENT000M103_signed.exe
Source: 39PAYMENT000M103_signed.exe, 00000000.00000002.691618532.0000000005470000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 39PAYMENT000M103_signed.exe
Source: 39PAYMENT000M103_signed.exe, 00000000.00000002.691618532.0000000005470000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 39PAYMENT000M103_signed.exe
Source: 39PAYMENT000M103_signed.exeBinary or memory string: OriginalFilenamePAYMENT000M103.exe, vs 39PAYMENT000M103_signed.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dll
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@30/5@0/0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\39PAYMENT000M103_signed.exe.logJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 39PAYMENT000M103_signed.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\AppData\Roaming\filename1.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\39PAYMENT000M103_signed.exe 'C:\Users\user\Desktop\39PAYMENT000M103_signed.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C type nul > 'C:\Users\user\Desktop\39PAYMENT000M103_signed.exe:Zone.Identifier'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\39PAYMENT000M103_signed.exe' 'C:\Users\user\AppData\Roaming\filename1.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Roaming\filename1.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Roaming\filename1.exe C:\Users\user\AppData\Roaming\filename1.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C type nul > 'C:\Users\user\AppData\Roaming\filename1.exe:Zone.Identifier'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Roaming\filename1.exe C:\Users\user\AppData\Roaming\filename1.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\filename1.exe 'C:\Users\user\AppData\Roaming\filename1.exe' -boot
Source: unknownProcess created: C:\Users\user\AppData\Roaming\filename1.exe 'C:\Users\user\AppData\Roaming\filename1.exe' -boot
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C type nul > 'C:\Users\user\AppData\Roaming\filename1.exe:Zone.Identifier'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Roaming\MyApp\MyApp.exe 'C:\Users\user\AppData\Roaming\MyApp\MyApp.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\MyApp\MyApp.exe 'C:\Users\user\AppData\Roaming\MyApp\MyApp.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C type nul > 'C:\Users\user\AppData\Roaming\MyApp\MyApp.exe:Zone.Identifier'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C type nul > 'C:\Users\user\AppData\Roaming\MyApp\MyApp.exe:Zone.Identifier'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C type nul > 'C:\Users\user\Desktop\39PAYMENT000M103_signed.exe:Zone.Identifier'Jump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\39PAYMENT000M103_signed.exe' 'C:\Users\user\AppData\Roaming\filename1.exe'Jump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c, 'C:\Users\user\AppData\Roaming\filename1.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\filename1.exe C:\Users\user\AppData\Roaming\filename1.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C type nul > 'C:\Users\user\AppData\Roaming\filename1.exe:Zone.Identifier'Jump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess created: C:\Users\user\AppData\Roaming\filename1.exe C:\Users\user\AppData\Roaming\filename1.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C type nul > 'C:\Users\user\AppData\Roaming\filename1.exe:Zone.Identifier'Jump to behavior
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C type nul > 'C:\Users\user\AppData\Roaming\MyApp\MyApp.exe:Zone.Identifier'
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C type nul > 'C:\Users\user\AppData\Roaming\MyApp\MyApp.exe:Zone.Identifier'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\AppData\Roaming\filename1.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: 39PAYMENT000M103_signed.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: 39PAYMENT000M103_signed.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: 39PAYMENT000M103_signed.exe, 00000000.00000002.688687642.0000000003DC8000.00000004.00000001.sdmp, filename1.exe, 0000000C.00000002.806385700.0000000003ACC000.00000004.00000001.sdmp, filename1.exe, 00000011.00000002.1024855485.0000000006350000.00000004.00000001.sdmp, MyApp.exe, 00000017.00000002.1008520723.0000000003A3E000.00000004.00000001.sdmp, MyApp.exe, 00000018.00000002.1033444330.000000000394E000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\AppData\Roaming\filename1.exeUnpacked PE file: 18.2.filename1.exe.1200000.1.unpack
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_005C1869 push cs; iretd 0_2_005C1872
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_005C186B push cs; iretd 0_2_005C1872
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_0059571D push edi; retf 0_2_0059571E
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_005A2729 push ds; retf 0_2_005A2733
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_0059E021 push ebp; iretd 0_2_0059E022
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_005A55AF pushfd ; retf 0_2_005A55B0
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_00F86A99 push ecx; ret 0_2_00F86AA3
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeCode function: 0_2_00F86C16 push ecx; ret 0_2_00F86C28
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 12_2_002A2729 push ds; retf 12_2_002A2733
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 12_2_0029E021 push ebp; iretd 12_2_0029E022
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 12_2_0029571D push edi; retf 12_2_0029571E
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 12_2_002C1869 push cs; iretd 12_2_002C1872
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 12_2_002C186B push cs; iretd 12_2_002C1872
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 12_2_002A55AF pushfd ; retf 12_2_002A55B0
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_008255AF pushfd ; retf 17_2_008255B0
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_0081571D push edi; retf 17_2_0081571E
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_0081E021 push ebp; iretd 17_2_0081E022
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00822729 push ds; retf 17_2_00822733
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00841869 push cs; iretd 17_2_00841872
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_0084186B push cs; iretd 17_2_00841872
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCF0A5 push 00000069h; ret 17_2_00FCF0A7
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCF046 push esi; retf 17_2_00FCF047
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCF028 push FFFFFFB9h; ret 17_2_00FCF02A
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCF1B1 push 00000069h; ret 17_2_00FCF1B3
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCEAD3 push 00000069h; ret 17_2_00FCEAD5
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC8A8E push ds; retf 17_2_00FC8A8F
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCEBD8 push eax; ret 17_2_00FCEBD9
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCEBAC push 00000069h; ret 17_2_00FCEBAE
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCEB0A push 00000069h; ret 17_2_00FCEB0C
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCEC55 push 00000069h; ret 17_2_00FCEC57
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FCDD42 push edi; ret 17_2_00FCDD43

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\filename1.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\filename1.exeFile created: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeJump to dropped file

Boot Survival:

barindex
Creates multiple autostart registry keysShow sources
Source: C:\Users\user\AppData\Roaming\filename1.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MyAppJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run applicationJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Users\user\AppData\Roaming\filename1.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run applicationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run applicationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MyAppJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MyAppJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in alternative data streams (ADS)Show sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\MyApp\MyApp.exe:Zone.Identifier
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\AppData\Roaming\filename1.exeFile opened: C:\Users\user\AppData\Roaming\MyApp\MyApp.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Roaming\filename1.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeThread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\AppData\Roaming\filename1.exeWindow / User API: threadDelayed 1247Jump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeWindow / User API: threadDelayed 7930Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exe TID: 1224Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exe TID: 4688Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exe TID: 2280Thread sleep time: -25825441703193356s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exe TID: 3092Thread sleep count: 1247 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exe TID: 3092Thread sleep count: 7930 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exe TID: 4736Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Roaming\filename1.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\filename1.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\filename1.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\filename1.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\filename1.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 39PAYMENT000M103_signed.exe, 00000000.00000002.685140821.00000000028A0000.00000004.00000001.sdmp, filename1.exe, 0000000C.00000002.804373909.00000000036E0000.00000004.00000001.sdmp, filename1.exe, 00000012.00000002.871236656.0000000001200000.00000004.00000001.sdmp, filename1.exe, 00000013.00000002.869253313.0000000002640000.00000004.00000001.sdmp, MyApp.exe, 00000017.00000002.1004025227.0000000000C80000.00000004.00000001.sdmp, MyApp.exe, 00000018.00000002.1032268454.0000000003670000.00000004.00000001.sdmpBinary or memory string: VirtualMachineDetectornewstub.VmDetectorAssertname%*C\L]E%a(BBe
Source: filename1.exe, 00000011.00000002.1023580511.0000000005300000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 39PAYMENT000M103_signed.exe, 00000000.00000002.685140821.00000000028A0000.00000004.00000001.sdmp, filename1.exe, 0000000C.00000002.804373909.00000000036E0000.00000004.00000001.sdmp, filename1.exe, 00000012.00000002.871236656.0000000001200000.00000004.00000001.sdmp, filename1.exe, 00000013.00000002.869253313.0000000002640000.00000004.00000001.sdmp, MyApp.exe, 00000017.00000002.1004025227.0000000000C80000.00000004.00000001.sdmp, MyApp.exe, 00000018.00000002.1032268454.0000000003670000.00000004.00000001.sdmpBinary or memory string: VirtualMachineDetector
Source: filename1.exe, 00000011.00000002.1023580511.0000000005300000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: filename1.exe, 00000011.00000002.1023580511.0000000005300000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: filename1.exe, 00000011.00000002.1023580511.0000000005300000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_00FC8D2C KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,17_2_00FC8D2C
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\filename1.exe C:\Users\user\AppData\Roaming\filename1.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeProcess created: C:\Users\user\AppData\Roaming\filename1.exe C:\Users\user\AppData\Roaming\filename1.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(08/25/2019 18:37:59)</span></span><br>
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(08/25/2019 18:37:59)</span></span><br><font color=#008000>{ESC}</font>
Source: filename1.exe, 00000011.00000002.1021075046.0000000001680000.00000002.00000001.sdmp, MyApp.exe, 00000018.00000002.1029370925.0000000001090000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: filename1.exe, 00000011.00000002.1021075046.0000000001680000.00000002.00000001.sdmp, MyApp.exe, 00000018.00000002.1029370925.0000000001090000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: filename1.exe, 00000011.00000002.1021075046.0000000001680000.00000002.00000001.sdmp, MyApp.exe, 00000018.00000002.1029370925.0000000001090000.00000002.00000001.sdmpBinary or memory string: Progman
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(08/25/2019 18:37:59)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{Win}</font>r<font color=#008000>{ESC}</font>
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(08/25/2019 18:37:59)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{Win}</font>r
Source: filename1.exe, 00000011.00000002.1021075046.0000000001680000.00000002.00000001.sdmp, MyApp.exe, 00000018.00000002.1029370925.0000000001090000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: filename1.exe, 00000011.00000002.1021813384.0000000002D1E000.00000004.00000001.sdmpBinary or memory string: Operating System: </b>Program Manager <b>]</b> <span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;>(08/25/2019 18:37:59)</span></span><br><font color=#008000>{ESC}</font><font color=#008000>{Win}</font>

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeQueries volume information: C:\Users\user\Desktop\39PAYMENT000M103_signed.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Users\user\AppData\Roaming\filename1.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Users\user\AppData\Roaming\filename1.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Users\user\AppData\Roaming\filename1.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeQueries volume information: C:\Users\user\AppData\Roaming\filename1.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeQueries volume information: C:\Users\user\AppData\Roaming\MyApp\MyApp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeQueries volume information: C:\Users\user\AppData\Roaming\MyApp\MyApp.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\MyApp\MyApp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Roaming\filename1.exeCode function: 17_2_0540DCE8 GetUserNameW,17_2_0540DCE8
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\39PAYMENT000M103_signed.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\filename1.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\filename1.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\AppData\Roaming\filename1.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\AppData\Roaming\filename1.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: C:\Users\user\AppData\Roaming\filename1.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 167258 Sample: 39PAYMENT000M103_signed.bat Startdate: 25/08/2019 Architecture: WINDOWS Score: 100 78 Antivirus or Machine Learning detection for sample 2->78 80 Yara detected Agent Tesla Trojan 2->80 82 .NET source code contains very large array initializations 2->82 84 Initial sample is a PE file and has a suspicious name 2->84 9 39PAYMENT000M103_signed.exe 2 2->9         started        12 MyApp.exe 2->12         started        15 filename1.exe 1 2->15         started        17 2 other processes 2->17 process3 file4 60 C:\Users\...\39PAYMENT000M103_signed.exe.log, ASCII 9->60 dropped 19 cmd.exe 1 9->19         started        21 cmd.exe 3 9->21         started        24 cmd.exe 1 9->24         started        88 Antivirus or Machine Learning detection for dropped file 12->88 26 cmd.exe 12->26         started        29 cmd.exe 15->29         started        31 cmd.exe 17->31         started        signatures5 process6 file7 33 filename1.exe 1 4 19->33         started        36 conhost.exe 19->36         started        58 C:\Users\user\AppData\Roaming\filename1.exe, PE32 21->58 dropped 38 conhost.exe 21->38         started        40 conhost.exe 24->40         started        86 Creates files in alternative data streams (ADS) 26->86 42 conhost.exe 26->42         started        44 conhost.exe 29->44         started        46 conhost.exe 31->46         started        signatures8 process9 signatures10 62 Antivirus or Machine Learning detection for dropped file 33->62 64 Detected unpacking (creates a PE file in dynamic memory) 33->64 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->66 68 Creates multiple autostart registry keys 33->68 48 filename1.exe 1 17 33->48         started        52 cmd.exe 1 33->52         started        process11 file12 56 C:\Users\user\AppData\Roaming\...\MyApp.exe, PE32 48->56 dropped 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 48->70 72 Tries to steal Mail credentials (via file access) 48->72 74 Creates multiple autostart registry keys 48->74 76 4 other signatures 48->76 54 conhost.exe 52->54         started        signatures13 process14

Simulations

Behavior and APIs

TimeTypeDescription
18:36:47API Interceptor5x Sleep call for process: 39PAYMENT000M103_signed.exe modified
18:37:20API Interceptor2x Sleep call for process: filename1.exe modified
18:37:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run application C:\Users\user\AppData\Roaming\filename1.exe -boot
18:37:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run application C:\Users\user\AppData\Roaming\filename1.exe -boot
18:37:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MyApp C:\Users\user\AppData\Roaming\MyApp\MyApp.exe
18:38:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MyApp C:\Users\user\AppData\Roaming\MyApp\MyApp.exe
18:38:28API Interceptor1x Sleep call for process: MyApp.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
39PAYMENT000M103_signed.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\MyApp\MyApp.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\filename1.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
17.2.filename1.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.thawte.com00%Avira URL Cloudsafe
http://ocsp.thawte.com00%Google Safe Browsingsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.1021414696.0000000002C50000.00000004.00000001.sdmpJoeSecurity_Agenttesla_Smtp_VariantYara detected Agent Tesla TrojanJoe Security

    Unpacked PEs

    No yara matches

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.