Loading ...

Play interactive tourEdit tour

Analysis Report 44Update-KB385-x86.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:167260
Start date:25.08.2019
Start time:18:37:31
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 24s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:44Update-KB385-x86.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal80.evad.winEXE@7/10@188/6
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 26.9% (good quality ratio 25.8%)
  • Quality average: 81.9%
  • Quality standard deviation: 25.1%
HCA Information:
  • Successful, ratio: 80%
  • Number of executed functions: 104
  • Number of non-executed functions: 143
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 74.125.28.26, 172.217.194.26, 74.125.204.26, 108.177.14.26, 64.233.167.26, 93.184.221.240, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): alt3.gmail-smtp-in.l.google.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, alt2.gmail-smtp-in.l.google.com, wu.azureedge.net, alt4.gmail-smtp-in.l.google.com, gmail-smtp-in.l.google.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, alt1.gmail-smtp-in.l.google.com, wu.wpc.apr-52dd2.edgecastdns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold800 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through API1Registry Run Keys / Startup Folder1Access Token Manipulation1Masquerading2Credential DumpingSystem Time Discovery12Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaExecution through Module Load1Port MonitorsProcess Injection41Software Packing2Network SniffingProcess Discovery3Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionAccess Token Manipulation1Input CaptureSecurity Software Discovery41Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol11
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection41Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery11Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information3Brute ForceSystem Information Discovery23Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\wmpucabi.dllAvira: Label: TR/Crypt.XPACK.Gen
Source: C:\Windows\serv.exeAvira: Label: WORM/Stration.C
Source: C:\Windows\SysWOW64\wmpucabi.dllJoe Sandbox ML: detected
Source: C:\Windows\serv.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: 44Update-KB385-x86.exeAvira: Label: WORM/Stration.C
Source: 44Update-KB385-x86.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 9.2.serv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 4.0.serv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 4.2.serv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 0.2.44Update-KB385-x86.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 4.2.serv.exe.10000000.2.unpackAvira: Label: WORM/Stration.Gen
Source: 0.0.44Update-KB385-x86.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 9.0.serv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 9.2.serv.exe.10000000.2.unpackAvira: Label: WORM/Stration.Gen

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Jump to behavior
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\serv.exeCode function: 4_2_0041A920 FindFirstFileA,lstrcat,FindFirstFileA,4_2_0041A920

Networking:

barindex
Domain name seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDomain Name: mta6.am0.yahoodns.net mta6.am0.yahoodns.net
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 67.195.228.94 67.195.228.94
Uses SMTP (mail sending)Show sources
Source: global trafficTCP traffic: 192.168.2.7:49723 -> 67.195.204.72:25
Source: global trafficTCP traffic: 192.168.2.7:49724 -> 98.136.96.91:25
Source: global trafficTCP traffic: 192.168.2.7:49725 -> 67.195.228.110:25
Source: global trafficTCP traffic: 192.168.2.7:49731 -> 98.136.96.76:25
Source: global trafficTCP traffic: 192.168.2.7:49732 -> 104.47.9.33:25
Source: global trafficTCP traffic: 192.168.2.7:49733 -> 67.195.228.94:25
Found strings which match to known social media urlsShow sources
Source: explorer.exe, 00000008.00000000.715994533.0000000005898000.00000004.00000001.sdmpString found in binary or memory: .Twitter.url equals www.twitter.com (Twitter)
Source: explorer.exe, 00000008.00000000.711409838.0000000004670000.00000004.00000001.sdmpString found in binary or memory: .Youtube.url equals www.youtube.com (Youtube)
Source: explorer.exe, 00000008.00000000.715994533.0000000005898000.00000004.00000001.sdmpString found in binary or memory: Twitter.url equals www.twitter.com (Twitter)
Source: explorer.exe, 00000008.00000000.711409838.0000000004670000.00000004.00000001.sdmpString found in binary or memory: Youtube.url equals www.youtube.com (Youtube)
Source: serv.exe, 00000004.00000002.1070673656.0000000000BD0000.00000004.00000040.sdmpString found in binary or memory: hotmail.com equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: yahoo.com
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000008.00000000.701633732.0000000000B00000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000008.00000000.724508580.000000000B1C6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Windows\serv.exeCode function: 4_2_005B1810 NtQuerySystemInformation,4_2_005B1810
Source: C:\Windows\serv.exeCode function: 9_2_005A1810 NtQuerySystemInformation,9_2_005A1810
Contains functionality to communicate with device driversShow sources
Source: C:\Windows\serv.exeCode function: 4_2_0041AE10: DeviceIoControl,DeviceIoControl,4_2_0041AE10
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeFile created: C:\Windows\serv.exeJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040D8090_2_0040D809
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_004238CE0_2_004238CE
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0042B0CE0_2_0042B0CE
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040E0B80_2_0040E0B8
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040E1670_2_0040E167
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040D1700_2_0040D170
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040C1000_2_0040C100
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_004069300_2_00406930
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040E9900_2_0040E990
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_004101A90_2_004101A9
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_00412A400_2_00412A40
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040B2E00_2_0040B2E0
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040B3800_2_0040B380
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040F3900_2_0040F390
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040E3A80_2_0040E3A8
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040D4090_2_0040D409
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040DCB00_2_0040DCB0
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040E5180_2_0040E518
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_00404DD00_2_00404DD0
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040DD870_2_0040DD87
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040CF000_2_0040CF00
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040DF380_2_0040DF38
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_00422F380_2_00422F38
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0042AFC60_2_0042AFC6
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040DFE90_2_0040DFE9
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040DF980_2_0040DF98
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040FFA00_2_0040FFA0
Source: C:\Windows\serv.exeCode function: 4_2_004069304_2_00406930
Source: C:\Windows\serv.exeCode function: 4_2_0040D8094_2_0040D809
Source: C:\Windows\serv.exeCode function: 4_2_004238CE4_2_004238CE
Source: C:\Windows\serv.exeCode function: 4_2_0042B0CE4_2_0042B0CE
Source: C:\Windows\serv.exeCode function: 4_2_0040E0B84_2_0040E0B8
Source: C:\Windows\serv.exeCode function: 4_2_0040E1674_2_0040E167
Source: C:\Windows\serv.exeCode function: 4_2_0040D1704_2_0040D170
Source: C:\Windows\serv.exeCode function: 4_2_0040C1004_2_0040C100
Source: C:\Windows\serv.exeCode function: 4_2_0040E9904_2_0040E990
Source: C:\Windows\serv.exeCode function: 4_2_004101A94_2_004101A9
Source: C:\Windows\serv.exeCode function: 4_2_00412A404_2_00412A40
Source: C:\Windows\serv.exeCode function: 4_2_0040B2E04_2_0040B2E0
Source: C:\Windows\serv.exeCode function: 4_2_0040B3804_2_0040B380
Source: C:\Windows\serv.exeCode function: 4_2_0040F3904_2_0040F390
Source: C:\Windows\serv.exeCode function: 4_2_0040E3A84_2_0040E3A8
Source: C:\Windows\serv.exeCode function: 4_2_0040D4094_2_0040D409
Source: C:\Windows\serv.exeCode function: 4_2_0040DCB04_2_0040DCB0
Source: C:\Windows\serv.exeCode function: 4_2_0040E5184_2_0040E518
Source: C:\Windows\serv.exeCode function: 4_2_00404DD04_2_00404DD0
Source: C:\Windows\serv.exeCode function: 4_2_0040DD874_2_0040DD87
Source: C:\Windows\serv.exeCode function: 4_2_0040CF004_2_0040CF00
Source: C:\Windows\serv.exeCode function: 4_2_0040DF384_2_0040DF38
Source: C:\Windows\serv.exeCode function: 4_2_00422F384_2_00422F38
Source: C:\Windows\serv.exeCode function: 4_2_0042AFC64_2_0042AFC6
Source: C:\Windows\serv.exeCode function: 4_2_0040DFE94_2_0040DFE9
Source: C:\Windows\serv.exeCode function: 4_2_0040DF984_2_0040DF98
Source: C:\Windows\serv.exeCode function: 4_2_0040FFA04_2_0040FFA0
Source: C:\Windows\serv.exeCode function: 4_2_100014004_2_10001400
Source: C:\Windows\serv.exeCode function: 4_2_10001D004_2_10001D00
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_04F614006_2_04F61400
Source: C:\Windows\SysWOW64\notepad.exeCode function: 6_2_04F61D006_2_04F61D00
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: String function: 00422EEC appears 46 times
Source: C:\Windows\serv.exeCode function: String function: 00422EEC appears 46 times
PE file contains strange resourcesShow sources
Source: 44Update-KB385-x86.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 44Update-KB385-x86.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 44Update-KB385-x86.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: serv.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: serv.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: serv.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\serv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeFile read: C:\Users\user\Desktop\44Update-KB385-x86.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\serv.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\serv.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal80.evad.winEXE@7/10@188/6
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\serv.exeCode function: 4_2_0041B600 AdjustTokenPrivileges,AdjustTokenPrivileges,4_2_0041B600
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\serv.exeCode function: 4_2_00419E20 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,4_2_00419E20
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeFile created: C:\Users\user\Desktop\F734.tmpJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\serv.exeFile created: C:\Users\user~1\AppData\Local\Temp\~7211.tmpJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\44Update-KB385-x86.exe 'C:\Users\user\Desktop\44Update-KB385-x86.exe'
Source: unknownProcess created: C:\Windows\serv.exe C:\Windows\serv.exe s
Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\F734.tmp
Source: unknownProcess created: C:\Windows\serv.exe 'C:\Windows\serv.exe' s
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeProcess created: C:\Windows\serv.exe C:\Windows\serv.exe sJump to behavior
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\F734.tmpJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Windows\serv.exe 'C:\Windows\serv.exe' sJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: msvcp120.amd64.pdb source: explorer.exe, 00000008.00000000.734221786.00007FFF01C25000.00000002.00020000.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.719870839.00000000068C0000.00000002.00000001.sdmp
Source: Binary string: msvcr120.amd64.pdb source: explorer.exe, 00000008.00000000.733852761.00007FFEF11B8000.00000002.00020000.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.719870839.00000000068C0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\serv.exeCode function: 4_2_0041D3A0 LoadLibraryA,GetProcAddress,4_2_0041D3A0
Entry point lies outside standard sectionsShow sources
Source: initial sampleStatic PE information: section where entry point is pointing to: .Upack
PE file contains sections with non-standard namesShow sources
Source: 44Update-KB385-x86.exeStatic PE information: section name: .Upack
Source: 44Update-KB385-x86.exeStatic PE information: section name: .imports
Source: serv.exe.0.drStatic PE information: section name: .Upack
Source: serv.exe.0.drStatic PE information: section name: .imports
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_004215E0 push eax; ret 0_2_004215F4
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_004215E0 push eax; ret 0_2_0042161C
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_00422F27 push ecx; ret 0_2_00422F37
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_00421FB0 push eax; ret 0_2_00421FCE
Source: C:\Windows\serv.exeCode function: 4_2_004215E0 push eax; ret 4_2_004215F4
Source: C:\Windows\serv.exeCode function: 4_2_004215E0 push eax; ret 4_2_0042161C
Source: C:\Windows\serv.exeCode function: 4_2_00422F27 push ecx; ret 4_2_00422F37
Source: C:\Windows\serv.exeCode function: 4_2_00421FB0 push eax; ret 4_2_00421FCE
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.74693130457
Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.74693130457

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\explorer.exeExecutable created and started: C:\Windows\serv.exeJump to behavior
Drops PE filesShow sources
Source: C:\Windows\serv.exeFile created: C:\Windows\SysWOW64\wmpucabi.dllJump to dropped file
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeFile created: C:\Windows\serv.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\serv.exeFile created: C:\Windows\SysWOW64\wmpucabi.dllJump to dropped file
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeFile created: C:\Windows\serv.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Windows\serv.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf10 second address: 40cf1e instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F36849A7A42h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+08h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf1e second address: 40cf2c instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F368478FCA2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+0Ch], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf2c second address: 40cf3a instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F36849A7A42h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+10h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf10 second address: 40cf1e instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F368478FCA2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+08h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf1e second address: 40cf2c instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F36849A7A42h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+0Ch], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf2c second address: 40cf3a instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F368478FCA2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+10h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf1e second address: 40cf2c instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F368478D2F2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+0Ch], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf2c second address: 40cf3a instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F36849A7332h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+10h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf10 second address: 40cf1e instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F368478D2F2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+08h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf1e second address: 40cf2c instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F36849A7332h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+0Ch], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf2c second address: 40cf3a instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F368478D2F2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+10h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeRDTSC instruction interceptor: First address: 40cf10 second address: 40cf1e instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [74A317DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F36849A7332h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+08h], eax 0x00000046 rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040CF00 rdtsc 0_2_0040CF00
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\serv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\serv.exeThread delayed: delay time: 300000Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Jump to behavior
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\serv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\serv.exeDropped PE file which has not been started: C:\Windows\SysWOW64\wmpucabi.dllJump to dropped file
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-20077
Source: C:\Windows\serv.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_4-22394
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17102
Source: C:\Windows\serv.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-18746
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\serv.exe TID: 5088Thread sleep time: -5100000s >= -30000sJump to behavior
Source: C:\Windows\serv.exe TID: 4576Thread sleep time: -4800000s >= -30000sJump to behavior
Source: C:\Windows\serv.exe TID: 4964Thread sleep time: -60000s >= -30000sJump to behavior
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040B380 GetLocalTime followed by cmp: cmp word ptr [esp+00000096h], ax and CTI: jbe 0040B739h0_2_0040B380
Source: C:\Windows\serv.exeCode function: 4_2_0040B380 GetLocalTime followed by cmp: cmp word ptr [esp+00000096h], ax and CTI: jbe 0040B739h4_2_0040B380
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\serv.exeCode function: 4_2_0041A920 FindFirstFileA,lstrcat,FindFirstFileA,4_2_0041A920
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0042876E VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_0042876E
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: serv.exe, 00000004.00000002.1078490800.0000000003566000.00000004.00000001.sdmpBinary or memory string: 9siMK0Me33GZcpJ7bfkJHfZvmcI/qGUiynKS8/75CZUHb5kJT6hlPsNyku/8+QmJBm+ZFVqoZTqn
Source: serv.exe, 00000004.00000002.1077556490.00000000033A7000.00000004.00000001.sdmpBinary or memory string: w2vYZxo9LhZ+KGwqemULmJVvyRHWNr6CD8RKTNGaod6UwB2XylinBThf26flxwa/sXl96AfjuKiP
Source: explorer.exe, 00000008.00000000.720462942.0000000006C40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: serv.exe, 00000004.00000002.1077556490.00000000033A7000.00000004.00000001.sdmpBinary or memory string: YBMfwGiWKh96broCYggICqZ8A8VBo9s7XSS3uQzTzim4DqemUqe5vQC17i5g7u0OXpvVK9NEH74d
Source: serv.exe, 00000009.00000003.811418925.0000000003221000.00000004.00000001.sdmpBinary or memory string: KGwqemULmJVvyRHWNr6CD8RKTNGaod6UwB2XylinBThf26flxwa/sXl96AfjuKiPM6EGbK5j81Pg
Source: explorer.exe, 00000008.00000000.720462942.0000000006C40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000008.00000000.720462942.0000000006C40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000008.00000000.720462942.0000000006C40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeAPI call chain: ExitProcess graph end nodegraph_0-17325
Source: C:\Windows\serv.exeAPI call chain: ExitProcess graph end nodegraph_4-22396
Source: C:\Windows\serv.exeAPI call chain: ExitProcess graph end nodegraph_4-18972
Queries a list of all running processesShow sources
Source: C:\Windows\serv.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\$$.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\serv.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040CF00 rdtsc 0_2_0040CF00
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\serv.exeCode function: 4_2_0041D3A0 LoadLibraryA,GetProcAddress,4_2_0041D3A0
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_00419500 GetProcessHeap,GetModuleHandleA,0_2_00419500
Enables debug privilegesShow sources
Source: C:\Windows\serv.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_00422C4A SetUnhandledExceptionFilter,0_2_00422C4A
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_00422C5E SetUnhandledExceptionFilter,0_2_00422C5E
Source: C:\Windows\serv.exeCode function: 4_2_00422C4A SetUnhandledExceptionFilter,4_2_00422C4A
Source: C:\Windows\serv.exeCode function: 4_2_00422C5E SetUnhandledExceptionFilter,4_2_00422C5E

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Windows\serv.exeMemory allocated: C:\Windows\explorer.exe base: 2400000 protect: page read and writeJump to behavior
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\serv.exe base: 1B0000 protect: page read and writeJump to behavior
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Windows\serv.exeMemory written: PID: 2956 base: 2400000 value: 65Jump to behavior
Injects files into Windows applicationShow sources
Source: C:\Windows\SysWOW64\notepad.exeInjected file: C:\Users\user\Desktop\F734.tmp was created by C:\Users\user\Desktop\44Update-KB385-x86.exeJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeInjected file: C:\Windows\serv.dll was created by C:\Windows\serv.exeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Windows\serv.exeMemory written: C:\Windows\explorer.exe base: 2400000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\serv.exe base: 1B0000Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\serv.exe base: 3692D8Jump to behavior
Source: C:\Windows\explorer.exeMemory written: C:\Windows\serv.exe base: 36A1E8Jump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_00420230 AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,0_2_00420230
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: serv.exe, 00000004.00000002.1070841781.0000000000DE0000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.1086965248.0000000003A90000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.701741416.0000000000EF0000.00000002.00000001.sdmp, serv.exe, 00000009.00000002.1123357292.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: serv.exe, 00000004.00000002.1070841781.0000000000DE0000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.1086965248.0000000003A90000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.701741416.0000000000EF0000.00000002.00000001.sdmp, serv.exe, 00000009.00000002.1123357292.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000008.00000000.715730786.00000000057B2000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd@
Source: serv.exe, 00000004.00000002.1070841781.0000000000DE0000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.1086965248.0000000003A90000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.701741416.0000000000EF0000.00000002.00000001.sdmp, serv.exe, 00000009.00000002.1123357292.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Program Manager6
Source: serv.exe, 00000004.00000002.1070841781.0000000000DE0000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.1086965248.0000000003A90000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.701741416.0000000000EF0000.00000002.00000001.sdmp, serv.exe, 00000009.00000002.1123357292.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.700710071.0000000000888000.00000004.00000020.sdmpBinary or memory string: ProgmanRg

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: GetLocaleInfoA,0_2_00428562
Source: C:\Windows\serv.exeCode function: GetLocaleInfoA,4_2_00428562
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\serv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Users\user\Desktop\F734.tmp VolumeInformationJump to behavior
Source: C:\Windows\serv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_004288AE GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,RtlQueryPerformanceCounter,0_2_004288AE
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0040B380 lstrlen,GetLocalTime,GetTimeZoneInformation,0_2_0040B380
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\44Update-KB385-x86.exeCode function: 0_2_0042192F EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,0_2_0042192F

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 167260 Sample: 44Update-KB385-x86.exe Startdate: 25/08/2019 Architecture: WINDOWS Score: 80 32 www2.ertinmdesachlion.com 2->32 46 Antivirus or Machine Learning detection for dropped file 2->46 48 Antivirus or Machine Learning detection for sample 2->48 9 44Update-KB385-x86.exe 2 2->9         started        signatures3 process4 file5 26 C:\Windows\serv.exe, PE32 9->26 dropped 28 C:\Users\user\Desktop\F734.tmp, data 9->28 dropped 56 Tries to detect virtualization through RDTSC time measurements 9->56 13 serv.exe 1 20 9->13         started        18 notepad.exe 9->18         started        signatures6 process7 dnsIp8 40 hotmail-com.olc.protection.outlook.com 104.47.9.33, 25, 49732, 49740 unknown United States 13->40 42 mta7.am0.yahoodns.net 67.195.204.72, 25, 49723 unknown United States 13->42 44 8 other IPs or domains 13->44 30 C:\Windows\SysWOW64\wmpucabi.dll, PE32 13->30 dropped 58 Antivirus or Machine Learning detection for dropped file 13->58 60 Creates an undocumented autostart registry key 13->60 62 Injects code into the Windows Explorer (explorer.exe) 13->62 66 2 other signatures 13->66 20 explorer.exe 5 4 13->20 injected 64 Injects files into Windows application 18->64 file9 signatures10 process11 signatures12 50 Drops executables to the windows directory (C:\Windows) and starts them 20->50 52 Writes to foreign memory regions 20->52 54 Allocates memory in foreign processes 20->54 23 serv.exe 14 20->23         started        process13 dnsIp14 34 67.195.228.94, 25, 49733 unknown United States 23->34 36 98.136.96.76, 25, 49731 unknown United States 23->36 38 11 other IPs or domains 23->38

Simulations

Behavior and APIs

TimeTypeDescription
18:38:28API Interceptor677x Sleep call for process: 44Update-KB385-x86.exe modified
18:38:44AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run serv C:\Windows\serv.exe s
18:38:55API Interceptor166x Sleep call for process: serv.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
44Update-KB385-x86.exe100%AviraWORM/Stration.C
44Update-KB385-x86.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\SysWOW64\wmpucabi.dll100%AviraTR/Crypt.XPACK.Gen
C:\Windows\serv.exe100%AviraWORM/Stration.C
C:\Windows\SysWOW64\wmpucabi.dll100%Joe Sandbox ML
C:\Windows\serv.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
9.2.serv.exe.400000.0.unpack100%AviraWORM/Stration.CDownload File
4.0.serv.exe.400000.0.unpack100%AviraWORM/Stration.CDownload File
4.2.serv.exe.400000.0.unpack100%AviraWORM/Stration.CDownload File
6.2.notepad.exe.10000000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.1.44Update-KB385-x86.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.44Update-KB385-x86.exe.400000.0.unpack100%AviraWORM/Stration.CDownload File
4.2.serv.exe.10000000.2.unpack100%AviraWORM/Stration.GenDownload File
0.0.44Update-KB385-x86.exe.400000.0.unpack100%AviraWORM/Stration.CDownload File
4.1.serv.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
9.0.serv.exe.400000.0.unpack100%AviraWORM/Stration.CDownload File
9.1.serv.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
9.2.serv.exe.10000000.2.unpack100%AviraWORM/Stration.GenDownload File
4.2.serv.exe.5b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
9.2.serv.exe.5a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
6.2.notepad.exe.4f60000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
mta6.am0.yahoodns.net0%virustotalBrowse
mta7.am0.yahoodns.net0%virustotalBrowse
mta5.am0.yahoodns.net0%virustotalBrowse
www4.ertinmdesachlion.com0%virustotalBrowse
www3.ertinmdesachlion.com0%virustotalBrowse
www6.ertinmdesachlion.com0%virustotalBrowse
www2.ertinmdesachlion.com0%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.typography.netD0%Avira URL Cloudsafe
http://www.typography.netD0%Google Safe Browsingsafe
http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/cThe0%Google Safe Browsingsafe
http://fontfabrik.com0%virustotalBrowse
http://fontfabrik.com0%Avira URL Cloudsafe
http://fontfabrik.com0%Google Safe Browsingsafe
http://www.founder.com.cn/cn0%virustotalBrowse
http://www.founder.com.cn/cn0%Avira URL Cloudsafe
http://www.founder.com.cn/cn0%Google Safe Browsingsafe
http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe0%Google Safe Browsingsafe
http://www.jiyu-kobo.co.jp/0%virustotalBrowse
http://www.jiyu-kobo.co.jp/0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%Google Safe Browsingsafe
http://www.tiro.com0%virustotalBrowse
http://www.tiro.com0%Avira URL Cloudsafe
http://www.%s.comPA0%Avira URL Cloudsafe
http://www.%s.comPA0%Google Safe Browsingsafe
http://www.sandoll.co.kr0%virustotalBrowse
http://www.sandoll.co.kr0%Avira URL Cloudsafe
http://www.sandoll.co.kr0%Google Safe Browsingsafe
http://www.goodfont.co.kr0%virustotalBrowse
http://www.goodfont.co.kr0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%Google Safe Browsingsafe
http://www.zhongyicts.com.cn1%virustotalBrowse
http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
http://www.zhongyicts.com.cn0%Google Safe Browsingsafe
http://www.sakkal.com0%virustotalBrowse
http://www.sakkal.com0%Avira URL Cloudsafe
http://www.sakkal.com0%Google Safe Browsingsafe
http://www.carterandcone.coml0%Avira URL Cloudsafe
http://www.carterandcone.coml0%Google Safe Browsingsafe
http://www.sajatypeworks.com0%virustotalBrowse
http://www.sajatypeworks.com0%Avira URL Cloudsafe
http://www.sajatypeworks.com0%Google Safe Browsingsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
67.195.228.9413Update-KB8406-x86.exeGet hashmaliciousBrowse
    9message.log.exeGet hashmaliciousBrowse
      11Update-KB968-x86.exeGet hashmaliciousBrowse
        1doc.dat.exeGet hashmaliciousBrowse
          1readme.txt.exeGet hashmaliciousBrowse
            36document.dat.exeGet hashmaliciousBrowse
              45Update-KB8508-x86.exeGet hashmaliciousBrowse
                1Update-KB3766-x86.exeGet hashmaliciousBrowse
                  40message.dat.exeGet hashmaliciousBrowse
                    50Update-KB7950-x86.exeGet hashmaliciousBrowse
                      27data.log.exeGet hashmaliciousBrowse
                        33message.dat.exeGet hashmaliciousBrowse
                          11Update-KB9718-x86.exeGet hashmaliciousBrowse
                            35Update-KB8016-x86.exeGet hashmaliciousBrowse
                              64file.dat.exeGet hashmaliciousBrowse
                                47readme.dat.exeGet hashmaliciousBrowse
                                  47Update-KB1093-x86.exeGet hashmaliciousBrowse
                                    34readme.elm.exeGet hashmaliciousBrowse
                                      25docs.dat.exeGet hashmaliciousBrowse
                                        21body.log.exeGet hashmaliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          mta6.am0.yahoodns.net21doc.el.exeGet hashmaliciousBrowse
                                          • 98.137.159.26
                                          29Update-KB1750-x86.exeGet hashmaliciousBrowse
                                          • 67.195.229.58
                                          51Update-KB8281-x86.exeGet hashmaliciousBrowse
                                          • 98.136.102.55
                                          78doc.msg.exeGet hashmaliciousBrowse
                                          • 74.6.137.64
                                          23Update-KB3830-x86.exeGet hashmaliciousBrowse
                                          • 98.136.102.54
                                          35Update-KB5111-x86.exeGet hashmaliciousBrowse
                                          • 67.195.229.59
                                          23Update-KB3956-x86.exeGet hashmaliciousBrowse
                                          • 98.136.101.117
                                          20Update-KB7452-x86.exeGet hashmaliciousBrowse
                                          • 67.195.229.58
                                          19docs.tx.exeGet hashmaliciousBrowse
                                          • 98.136.102.54
                                          55.x.exeGet hashmaliciousBrowse
                                          • 98.137.159.28
                                          3Update-KB2248-x86.exeGet hashmaliciousBrowse
                                          • 98.137.159.24
                                          30Update-KB5046-x86.exeGet hashmaliciousBrowse
                                          • 98.136.102.54
                                          56file.txt.exeGet hashmaliciousBrowse
                                          • 98.136.102.54
                                          63test.log.exeGet hashmaliciousBrowse
                                          • 74.6.137.64
                                          5body.ms.exeGet hashmaliciousBrowse
                                          • 67.195.228.141
                                          4test.log.exeGet hashmaliciousBrowse
                                          • 98.136.101.117
                                          1Update-KB8062-x86.exeGet hashmaliciousBrowse
                                          • 98.137.159.26
                                          70creditcar.exeGet hashmaliciousBrowse
                                          • 98.137.159.24
                                          17Update-KB2684-x86.exeGet hashmaliciousBrowse
                                          • 67.195.228.141
                                          7Update-KB8734-x86.exeGet hashmaliciousBrowse
                                          • 74.6.137.64

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          unknownrequest.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          FERK444259.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Setup.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          base64.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          file.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Spread sheet 2.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          request_08.30.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          P_2038402.xlsxGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
                                          • 192.168.0.22
                                          seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Adm_Boleto.via2.comGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          pptxb.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Screenshots

                                          Thumbnails

                                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.