Loading ...

Play interactive tourEdit tour

Analysis Report agreement.scr

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:200688
Start date:13.01.2020
Start time:21:12:19
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 14s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:agreement.scr (renamed file extension from scr to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:22
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.rans.evad.winEXE@21/318@1/100
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 3.7% (good quality ratio 3.7%)
  • Quality average: 71.5%
  • Quality standard deviation: 20.4%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, VSSVC.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 13.74.179.117, 13.83.149.5, 20.45.4.77, 20.185.109.208, 204.79.197.200, 13.107.21.200, 93.184.220.29, 104.74.95.154, 104.103.107.203
  • Excluded domains from analysis (whitelisted): fe2.update.microsoft.com.nsatc.net, www.bing.com, cs9.wac.phicdn.net, dual-a-0001.a-msedge.net, sls.update.microsoft.com.akadns.net, tile-service.weather.microsoft.com, e15275.g.akamaiedge.net, cdn.onenote.net.edgekey.net, sls.emea.update.microsoft.com.akadns.net, fe2.update.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, sls.update.microsoft.com, e1553.dspg.akamaiedge.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Execution through API3Registry Run Keys / Startup Folder1Process Injection112Disabling Security Tools1Input Capture31System Time Discovery2Replication Through Removable Media1Input Capture31Data Encrypted11Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact11
Replication Through Removable MediaCommand-Line Interface2Application Shimming1Application Shimming1Software Packing1Network SniffingPeripheral Device Discovery11Remote ServicesClipboard Data1Exfiltration Over Other Network MediumStandard Cryptographic Protocol22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSecurity Software Discovery31Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingFile Deletion1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information21Account ManipulationSystem Information Discovery26Shared WebrootData StagedScheduled TransferConnection Proxy1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading1Brute ForceProcess Discovery3Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection112Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionConnection Proxy1Bash HistorySystem Network Configuration Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: agreement.exeVirustotal: Detection: 18%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0040A750 CryptEncrypt,3_2_0040A750
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0040B5C0 CryptAcquireContextW,GetLastError,CryptAcquireContextW,3_2_0040B5C0
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0040B640 CryptAcquireContextW,GetLastError,CryptAcquireContextW,3_2_0040B640
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0040B6B0 std::ios_base::good,CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,3_2_0040B6B0
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0040B8D0 CryptGenKey,3_2_0040B8D0
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00409D90 std::ios_base::good,std::ios_base::good,CryptDuplicateKey,GetFileAttributesW,SetFileAttributesW,CreateFileW,CloseHandle,MoveFileExW,CloseHandle,CryptDestroyKey,3_2_00409D90
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0040A6F0 CryptEncrypt,3_2_0040A6F0
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0040B4B0 CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,3_2_0040B4B0
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0040B910 CryptDestroyKey,3_2_0040B910
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0040B930 CryptExportKey,3_2_0040B930
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0040B980 CryptExportKey,3_2_0040B980

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Users\user\Desktop\agreement.exeFile opened: z:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: x:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: v:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: t:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: r:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: p:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: n:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: l:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: j:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: h:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: f:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: b:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: y:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: w:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: u:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: s:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: q:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: o:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: m:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: k:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: i:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: g:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: e:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: c:Jump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile opened: a:Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004559CC __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,0_2_004559CC
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0042370F FindFirstFileExW,FindClose,3_2_0042370F
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00464C70 FindFirstFileExW,3_2_00464C70

Networking:

barindex
Found Tor onion addressShow sources
Source: agreement.exe, 00000000.00000002.1784688924.0000000003380000.00000004.00000001.sdmpString found in binary or memory: b) Open our website in TOR: http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/{UID}
Source: agreement.exe, 00000003.00000002.2169560785.0000000000A00000.00000004.00000020.sdmpString found in binary or memory: b) Open our website in TOR: http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/RPJ9XO47BF3GP5IF
Source: agreement.exe, 00000003.00000002.2168711578.0000000000472000.00000002.00020000.sdmpString found in binary or memory: b) Open our website in TOR: http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/{UID}
Source: ako-readme.txt19.3.drString found in binary or memory: b) Open our website in TOR: http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/RPJ9XO47BF3GP5IF
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 13.68.93.109
Source: unknownTCP traffic detected without corresponding DNS query: 13.68.93.109
Source: unknownTCP traffic detected without corresponding DNS query: 13.68.93.109
Source: unknownTCP traffic detected without corresponding DNS query: 13.68.93.109
Source: unknownTCP traffic detected without corresponding DNS query: 13.68.93.109
Source: unknownTCP traffic detected without corresponding DNS query: 13.68.93.109
Source: unknownTCP traffic detected without corresponding DNS query: 13.68.93.109
Source: unknownTCP traffic detected without corresponding DNS query: 13.68.93.109
Source: unknownTCP traffic detected without corresponding DNS query: 13.68.93.109
Source: unknownTCP traffic detected without corresponding DNS query: 13.68.93.109
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.119.19
Source: unknownTCP traffic detected without corresponding DNS query: 67.27.159.126
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknownTCP traffic detected without corresponding DNS query: 67.27.159.126
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.119.19
Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.187
Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.187
Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.187
Source: unknownTCP traffic detected without corresponding DNS query: 40.90.22.187
Source: unknownTCP traffic detected without corresponding DNS query: 23.39.94.151
Source: unknownTCP traffic detected without corresponding DNS query: 23.39.94.151
Source: unknownTCP traffic detected without corresponding DNS query: 51.105.249.223
Source: unknownTCP traffic detected without corresponding DNS query: 51.105.249.223
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: cdn.onenote.net
Urls found in memory or binary dataShow sources
Source: agreement.exe, 00000000.00000002.1784688924.0000000003380000.00000004.00000001.sdmp, agreement.exe, 00000003.00000002.2168711578.0000000000472000.00000002.00020000.sdmpString found in binary or memory: http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/
Source: agreement.exe, 00000003.00000002.2169560785.0000000000A00000.00000004.00000020.sdmp, ako-readme.txt19.3.drString found in binary or memory: http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/RPJ9XO47BF3GP5IF
Source: agreement.exe, 00000003.00000003.2137937615.0000000003130000.00000004.00000001.sdmpString found in binary or memory: http://www.reddit.com/
Source: agreement.exe, 00000000.00000002.1784688924.0000000003380000.00000004.00000001.sdmp, agreement.exe, 00000003.00000002.2169560785.0000000000A00000.00000004.00000020.sdmp, ako-readme.txt19.3.drString found in binary or memory: https://www.torproject.org/download/
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0046161E __EH_prolog3_catch,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,0_2_0046161E
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00464430 __EH_prolog3,CreatePopupMenu,AppendMenuA,AppendMenuA,AppendMenuA,SetMenuDefaultItem,AppendMenuA,GetKeyState,GetAsyncKeyState,IsRectEmpty,IsRectEmpty,SendMessageA,SendMessageA,GetClientRect,InvalidateRect,InvalidateRect,InvalidateRect,UpdateWindow,0_2_00464430
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: agreement.exe, 00000000.00000002.1782916254.000000000092A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004567E3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_004567E3
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0049C843 GetWindowRect,KillTimer,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,0_2_0049C843
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00424BDF GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00424BDF
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0042DC72 IsWindow,SendMessageA,GetCapture,SendMessageA,GetKeyState,GetKeyState,GetKeyState,74D12FB0,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,0_2_0042DC72
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0042BF7F IsWindow,SendMessageA,GetCapture,GetKeyState,GetKeyState,GetKeyState,74D12FB0,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,0_2_0042BF7F

Spam, unwanted Advertisements and Ransom Demands:

barindex
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: agreement.exe, 00000000.00000002.1784688924.0000000003380000.00000004.00000001.sdmpBinary or memory string: {PATTERN_ID}{EXT}{UID}.ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/:\aidMicrosoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0SOFTWARE\acfgaidSOFTWARE\acfgtrue.{5FD4B114-4455-41ED-8056-068A627F0191}.$\\\\APPDATA\AKO!Software\Microsoft\Windows\CurrentVersion\Run\vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled Nobcdedit.exe /set {default} bootstatuspolicy ignoreallfailureswbadmin DELETE SYSTEMSTATEBACKUPwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldestwmic.exe SHADOWCOPY /nointeractiveSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLinkedConnectionsSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLinkedConnections\bad conversioninvalid string positionvector<T> too longstring too long
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: agreement.exeBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: agreement.exe, 00000003.00000002.2168711578.0000000000472000.00000002.00020000.sdmpBinary or memory string: {PATTERN_ID}{EXT}{UID}.ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/:\aidMicrosoft Enhanced Cryptographic Provider v1.0Microsoft Enhanced Cryptographic Provider v1.0SOFTWARE\acfgaidSOFTWARE\acfgtrue.{5FD4B114-4455-41ED-8056-068A627F0191}.$\\\\APPDATA\AKO!Software\Microsoft\Windows\CurrentVersion\Run\vssadmin.exe Delete Shadows /All /Quietbcdedit.exe /set {default} recoveryenabled Nobcdedit.exe /set {default} bootstatuspolicy ignoreallfailureswbadmin DELETE SYSTEMSTATEBACKUPwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldestwmic.exe SHADOWCOPY /nointeractiveSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLinkedConnectionsSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLinkedConnections\bad conversioninvalid string positionvector<T> too longstring too long
Source: vssadmin.exe, 00000004.00000002.1790230723.0000000003580000.00000004.00000040.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/Quietn
Source: vssadmin.exe, 00000004.00000002.1789679602.0000000001280000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000004.00000002.1789679602.0000000001280000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000004.00000002.1789679602.0000000001280000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000004.00000002.1789679602.0000000001280000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000004.00000002.1789679602.0000000001280000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000004.00000002.1789622760.0000000000F8C000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00004164- TID: 00004668- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: user-PC\user, SID:S-1-5-21-58933367-3072710494-194312298-1002
Source: vssadmin.exe, 00000004.00000002.1790134905.0000000003390000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinSta0\Default81
Source: vssadmin.exe, 00000009.00000002.1813211673.0000000000BD0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000009.00000002.1813211673.0000000000BD0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000009.00000002.1813211673.0000000000BD0000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000009.00000002.1813211673.0000000000BD0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000009.00000002.1813211673.0000000000BD0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000009.00000002.1813471218.0000000000FB0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinSta0\Default
Source: vssadmin.exe, 00000009.00000002.1813183486.0000000000B9C000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00004188- TID: 00004924- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: user-PC\user, SID:S-1-5-21-58933367-3072710494-194312298-1002
Source: vssadmin.exe, 00000009.00000002.1813261900.0000000000BF0000.00000004.00000040.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/Quiet
Source: vssadmin.exe, 0000000D.00000002.1820623485.00000000007F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 0000000D.00000002.1820623485.00000000007F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 0000000D.00000002.1820623485.00000000007F0000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 0000000D.00000002.1820623485.00000000007F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 0000000D.00000002.1820623485.00000000007F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 0000000D.00000002.1820746286.0000000000B80000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinSta0\Default*
Source: vssadmin.exe, 0000000D.00000002.1820418624.00000000006EC000.00000004.00000010.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00000976- TID: 00003928- CMD: vssadmin.exe Delete Shadows /All /Quiet - User: Name: user-PC\user, SID:S-1-5-21-58933367-3072710494-194312298-1002
Source: vssadmin.exe, 0000000D.00000002.1820905855.0000000000EC0000.00000004.00000040.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/Quiet
Modifies existing user documents (likely ransomware behavior)Show sources
Source: C:\Users\user\Desktop\agreement.exeFile moved: C:\Users\user\Desktop\AQRFEVRTGL\QFAPOWPAFG.xlsxJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile deleted: C:\Users\user\Desktop\AQRFEVRTGL\QFAPOWPAFG.xlsxJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile moved: C:\Users\user\Desktop\HMPPSXQPQV.xlsxJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile moved: C:\Users\user\Desktop\LIJDSFKJZG.docxJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile moved: C:\Users\user\Desktop\AQRFEVRTGL\AQRFEVRTGL.docxJump to behavior
Writes many files with high entropyShow sources
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\Adobe\ARM\S\18392\AdobeARM.msi entropy: 7.9997905197Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\Adobe\ARM\S\20227\AdobeARM.msi entropy: 7.9997905197Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\Adobe\ARM\S\ARM.msi entropy: 7.9997905197Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1801120055.msp entropy: 7.99999057453Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi entropy: 7.99993721245Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab entropy: 7.9999873338Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\USOShared\Logs\NotificationUxBroker.001.etl entropy: 7.99298154876Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\USOShared\Logs\NotifyIcon.014.etl entropy: 7.99639433855Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.001.etl entropy: 7.99200129989Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.006.etl entropy: 7.99424505117Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.008.etl entropy: 7.99457638714Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.009.etl entropy: 7.99262914604Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.014.etl entropy: 7.9975705687Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Users\Default\NTUSER.DAT entropy: 7.99939959479Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Users\Default\NTUSER.DAT.LOG1 entropy: 7.99665058133Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf entropy: 7.99731318452Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms entropy: 7.99966610133Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms entropy: 7.99964646694Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst entropy: 7.99823014264Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat entropy: 7.99929952543Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin entropy: 7.99548760969Jump to dropped file
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Users\user\AppData\Local\Adobe\Color\Profiles\wscRGB.icc entropy: 7.99795380568Jump to dropped file
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0040B6B0 std::ios_base::good,CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree,3_2_0040B6B0

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00408FC0 GetModuleHandleA,GetDlgItemTextA,MessageBoxA,MessageBoxA,FtpDeleteFileA,MessageBoxA,_memset,_memset,WindowFromPoint,GetWindowThreadProcessId,SetActiveWindow,6EB68FC0,SetBkMode,SetTextColor,DrawIconEx,htonl,getsockopt,getsockname,EndDeferWindowPos,6EB68FC0,SendMessageA,FreeEnvironmentStringsA,LoadLibraryA,SHBrowseForFolder,73F76FC0,UuidCreate,UuidToStringA,RpcStringFreeA,GetDesktopWindow,7361AC50,GetClientRect,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SelectObject,GlobalAlloc,LoadLibraryA,GlobalAlloc,SelectObject,DeleteObject,DeleteDC,GetProcAddress,VirtualAlloc,7361AC50,_memset,GetDIBits,_malloc,GetDIBits,_wcsrchr,_wcsrchr,BeginPaint,SetMapMode,SetWindowExtEx,SetViewportExtEx,SetViewportOrgEx,LineTo,LineTo,MoveToEx,CreatePen,SelectObject,LineTo,CreatePen,SelectObject,TextOutA,LineTo,LineTo,__itow,TextOutA,TextOutA,ValidateRect,EndPaint,DeleteObject,NtdllDefWindowProc_A,SafeArrayCreate,SafeArrayGetLBound,SafeArrayGetUBound,VariantInit,VariantClear,SafeA0_2_00408FC0
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00422556 NtdllDefWindowProc_A,CallWindowProcA,0_2_00422556
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00424F6C NtdllDefWindowProc_A,0_2_00424F6C
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004273B5 __snwprintf_s,__snwprintf_s,NtdllDefWindowProc_A,0_2_004273B5
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00427629 _memset,NtdllDefWindowProc_A,0_2_00427629
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0040DC56 __EH_prolog3,LoadCursorA,GetClassInfoA,NtdllDefWindowProc_A,0_2_0040DC56
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_02491E9E NtQueryInformationProcess,0_2_02491E9E
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004083200_2_00408320
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00408FC00_2_00408FC0
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004620F80_2_004620F8
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004423CB0_2_004423CB
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0045A51B0_2_0045A51B
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004266E30_2_004266E3
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0043E80C0_2_0043E80C
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004FED630_2_004FED63
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00506F630_2_00506F63
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0050F1880_2_0050F188
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0045B82D3_2_0045B82D
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0045004D3_2_0045004D
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0046A13E3_2_0046A13E
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_004626493_2_00462649
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_004506AA3_2_004506AA
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0043CB523_2_0043CB52
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00450BB33_2_00450BB3
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00458C083_2_00458C08
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00436DA03_2_00436DA0
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0046103A3_2_0046103A
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_004510CC3_2_004510CC
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0043F35D3_2_0043F35D
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0045160C3_2_0045160C
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_004417C93_2_004417C9
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_004559983_2_00455998
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_004579A03_2_004579A0
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00469E593_2_00469E59
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00469F853_2_00469F85
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0044FFA03_2_0044FFA0
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: String function: 00401340 appears 246 times
Source: C:\Users\user\Desktop\agreement.exeCode function: String function: 004385F0 appears 61 times
Source: C:\Users\user\Desktop\agreement.exeCode function: String function: 004C8316 appears 41 times
Source: C:\Users\user\Desktop\agreement.exeCode function: String function: 00438B07 appears 185 times
Source: C:\Users\user\Desktop\agreement.exeCode function: String function: 004FE674 appears 481 times
Source: C:\Users\user\Desktop\agreement.exeCode function: String function: 00438B3B appears 81 times
Source: C:\Users\user\Desktop\agreement.exeCode function: String function: 005009F8 appears 49 times
Source: C:\Users\user\Desktop\agreement.exeCode function: String function: 00439250 appears 42 times
Source: C:\Users\user\Desktop\agreement.exeCode function: String function: 00401710 appears 41 times
Source: C:\Users\user\Desktop\agreement.exeCode function: String function: 00401AD0 appears 53 times
PE file contains strange resourcesShow sources
Source: agreement.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: agreement.exe, 00000000.00000002.1783433498.0000000002640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs agreement.exe
Source: agreement.exe, 00000000.00000002.1782585503.0000000000660000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMutableReceipt2 vs agreement.exe
Source: agreement.exe, 00000003.00000002.2169208129.0000000000660000.00000008.00020000.sdmpBinary or memory string: OriginalFilenameMutableReceipt2 vs agreement.exe
Source: agreement.exe, 00000003.00000002.2171154259.0000000002A30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs agreement.exe
Source: agreement.exe, 00000003.00000002.2171154259.0000000002A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs agreement.exe
Source: agreement.exe, 00000003.00000002.2170840342.00000000029E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs agreement.exe
Source: agreement.exeBinary or memory string: OriginalFilenameMutableReceipt2 vs agreement.exe
Classification labelShow sources
Source: classification engineClassification label: mal68.rans.evad.winEXE@21/318@1/100
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00408320 GetModuleHandleA,BeginDeferWindowPos,GetCursorPos,CreateEventA,GetCursorPos,InvalidateRect,WaitForSingleObject,73F91DE0,_memset,GetMenu,_memset,GetMenuItemInfoA,__floor_pentium4,CreateEventA,GetCursorPos,GetWindowRect,GetCursorPos,SetWindowTextA,GetEnvironmentStrings,InvalidateRect,CheckMenuRadioItem,GetMenu,CheckMenuRadioItem,InvalidateRect,WaitForSingleObject,73EF2810,SetPropA,SetForegroundWindow,GetWindowTextLengthA,GetDlgItem,EnableWindow,_memset,GetLastError,FormatMessageA,MessageBoxA,ExitProcess,GetPropA,EndDialog,EndDialog,EndDialog,RemovePropA,0_2_00408320
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00412F30 std::ios_base::good,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,3_2_00412F30
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004361EF FindResourceA,LoadResource,LockResource,FreeResource,0_2_004361EF
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Users\user\Desktop\ Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_01
Source: C:\Users\user\Desktop\agreement.exeMutant created: \Sessions\1\BaseNamedObjects\{5FD4B114-4455-41ED-8056-068A627F0191}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3212:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1568:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2544:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:224:120:WilError_01
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\agreement.exeCommand line argument: x<I3_2_00411350
Source: C:\Users\user\Desktop\agreement.exeCommand line argument: x<I3_2_00411350
Source: C:\Users\user\Desktop\agreement.exeCommand line argument: x<I3_2_00411350
Source: C:\Users\user\Desktop\agreement.exeCommand line argument: x<I3_2_00411350
Reads ini filesShow sources
Source: C:\Users\user\Desktop\agreement.exeFile read: C:\$Recycle.Bin\S-1-5-21-58933367-3072710494-194312298-1002\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\agreement.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: agreement.exeVirustotal: Detection: 18%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\agreement.exeFile read: C:\Users\user\Desktop\agreement.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\agreement.exe 'C:\Users\user\Desktop\agreement.exe'
Source: unknownProcess created: C:\Users\user\Desktop\agreement.exe C:\Users\user\Desktop\agreement.exe
Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractive
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Users\user\Desktop\agreement.exe C:\Users\user\Desktop\agreement.exeJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\agreement.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InProcServer32Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: agreement.exeStatic file information: File size 1603584 > 1048576
PE file has a big raw sectionShow sources
Source: agreement.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x17ce00

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0065FAD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0065FAD0
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004FE74C push ecx; ret 0_2_004FE75F
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00500A3D push ecx; ret 0_2_00500A50
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00438AD0 push ecx; ret 3_2_00438AE3
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00439296 push ecx; ret 3_2_004392A9
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Creates license or readme fileShow sources
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Adobe\ARM\S\18392\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Adobe\ARM\S\20227\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Adobe\ARM\S\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Desktop\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\regid.1991-06.com.microsoft\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessibility\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras\AutoItX\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Java\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\USOPrivate\UpdateStore\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\USOShared\Logs\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\SendTo\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessories\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\System Tools\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Cookies\DNTException\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Cookies\ESE\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Cookies\Low\ESE\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Desktop\AQRFEVRTGL\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Desktop\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Desktop\HMPPSXQPQV\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Desktop\LIJDSFKJZG\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Documents\AQRFEVRTGL\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Documents\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Documents\HMPPSXQPQV\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Documents\LIJDSFKJZG\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Favorites\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Links\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Local Settings\Adobe\Acrobat\DC\Cache\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Local Settings\Adobe\Color\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\user\Local Settings\Adobe\Color\Profiles\ako-readme.txtJump to behavior

Boot Survival:

barindex
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessibility\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessibility\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras\AutoItX\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\AutoIt v3\Extras\AutoItX\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Java\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\Java\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\All Users\Start Menu\Programs\System Tools\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessories\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessories\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\System Tools\ako-readme.txtJump to behavior
Source: C:\Users\user\Desktop\agreement.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\System Tools\do_not_remove_ako.0Vd5Jt_id.keyJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004021F0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_004021F0
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00452586 IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,GetWindowRect,GetParent,IsRectEmpty,EndDeferWindowPos,0_2_00452586
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004588D6 IsIconic,PostMessageA,0_2_004588D6
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00456DC2 IsWindow,GetFocus,SendMessageA,SendMessageA,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,0_2_00456DC2
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00457AE8 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,0_2_00457AE8
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00457AE8 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,0_2_00457AE8
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00457AE8 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,0_2_00457AE8
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00457AE8 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,0_2_00457AE8
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00421C3D MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,0_2_00421C3D
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00457DBC IsWindowVisible,ScreenToClient,IsIconic,PtInRect,PtInRect,PtInRect,0_2_00457DBC
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0048FE9F IsWindowVisible,IsIconic,0_2_0048FE9F
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00433FCC SetRectEmpty,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageA,UpdateWindow,SendMessageA,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,0_2_00433FCC
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00436DA0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00436DA0
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\agreement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_024927EE rdtsc 0_2_024927EE
Contains functionality to query network adapater informationShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: std::_Container_base12::~_Container_base12,GetAdaptersInfo,std::_Container_base12::~_Container_base12,GetAdaptersInfo,std::_Container_base12::~_Container_base12,3_2_00411E20
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\agreement.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\agreement.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-67291
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\agreement.exeAPI coverage: 6.9 %
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\agreement.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004559CC __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,0_2_004559CC
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0042370F FindFirstFileExW,FindClose,3_2_0042370F
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00464C70 FindFirstFileExW,3_2_00464C70
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00501A65 VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,0_2_00501A65
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: agreement.exe, 00000000.00000002.1783433498.0000000002640000.00000002.00000001.sdmp, vssadmin.exe, 00000004.00000002.1790304754.0000000004E70000.00000002.00000001.sdmp, WMIC.exe, 00000007.00000002.1794362523.0000000003550000.00000002.00000001.sdmp, vssadmin.exe, 00000009.00000002.1814152154.0000000004AE0000.00000002.00000001.sdmp, WMIC.exe, 0000000B.00000002.1818252122.0000000000C30000.00000002.00000001.sdmp, vssadmin.exe, 0000000D.00000002.1821216472.00000000046D0000.00000002.00000001.sdmp, WMIC.exe, 00000011.00000002.1824339519.00000000033A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: agreement.exeBinary or memory string: vmickvpexchange,vmicguestinterface,vmicshutdown,vmicheartbeat,MSSQLFDLauncher,MSSQLSERVER,SQLBrowser,SQLSERVERAGENT,SQLWriter,MSSQL,WRSVC,ekrn
Source: agreement.exe, 00000003.00000002.2168711578.0000000000472000.00000002.00020000.sdmpBinary or memory string: ?Unknown exceptionbad locale name*CBgIAAACkAABSU0ExAAgAAAEAAQAvE2YhTYHbu42T2t49CALWm2tvBOV3vIqy4S0IBHCNrhiti/AJp1mKYCopejwhc3E4k8gCYWjLBlX3/9xuxMcJ3dTt1d+bXxsIZnkqDtxrKO8JZrNAqgX27UUF1HPGTNea6KaTrv5vxFadN081Rz3e8bvAugy4UYDb9sILVof4i8yA1L6O4ligWia2fFsBlds+nVDoOpJq+WJMmtVRAh2Mngntk6EhieCLVvxQtpFMgAzVBQCPJGYXSVTNW4x4u1gjyZ66kweRCpPSV16n5Gh5cHk+6FZ/TZyg+g1hm/XJckvFX9okG4DcmB9rk0pvbPMK9M4o8ZsicNhUA3hb+imw500_SIZERPJ9XO47BF3GP5IF0GN_SUB_IDfalseETWORKAppData,Program Files,Program Files (x86),AppData,boot,PerfLogs,ProgramData,Google,Intel,Microsoft,Application Data,Tor Browser,Windows.exe,.dll,.sys,.ini,.key,.key.arm,.acr,.arz,.bck,.bak,.cnf,.dbs,.ddl,.frm,.ibd,.ism,.mrg,.mdf,.mds,.frm,.myd,.myi,.mysql,.opt,.phl,.sal,.sqr,.tmd,.ibz,.ibc,.pptx,.pptm,.ppt,.potx,.potm,.qbquery,.rul,.qbw,.qbmb,.qbb,.qbm,.qbo,.des,.qbr,.qwc,.qbx,.qba,.qby,.qbj,.tlg,.xlc,.zip,.rar,.ldf,.avhd,.vhd,.vsv,.vmrs,.vmcx,.vhdx,.isowinword.exe,visio.exe,encsvc.exe,mysqld_opt.exe,ocssd.exe,thebat.exe,ocomm.exe,outlook.exe,onenote.exe,sqlwriter.exe,ms
Source: agreement.exe, 00000003.00000002.2169560785.0000000000A00000.00000004.00000020.sdmpBinary or memory string: vmicshutdownepOct
Source: agreement.exe, 00000000.00000002.1783433498.0000000002640000.00000002.00000001.sdmp, vssadmin.exe, 00000004.00000002.1790304754.0000000004E70000.00000002.00000001.sdmp, WMIC.exe, 00000007.00000002.1794362523.0000000003550000.00000002.00000001.sdmp, vssadmin.exe, 00000009.00000002.1814152154.0000000004AE0000.00000002.00000001.sdmp, WMIC.exe, 0000000B.00000002.1818252122.0000000000C30000.00000002.00000001.sdmp, vssadmin.exe, 0000000D.00000002.1821216472.00000000046D0000.00000002.00000001.sdmp, WMIC.exe, 00000011.00000002.1824339519.00000000033A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: agreement.exe, 00000000.00000002.1783433498.0000000002640000.00000002.00000001.sdmp, vssadmin.exe, 00000004.00000002.1790304754.0000000004E70000.00000002.00000001.sdmp, WMIC.exe, 00000007.00000002.1794362523.0000000003550000.00000002.00000001.sdmp, vssadmin.exe, 00000009.00000002.1814152154.0000000004AE0000.00000002.00000001.sdmp, WMIC.exe, 0000000B.00000002.1818252122.0000000000C30000.00000002.00000001.sdmp, vssadmin.exe, 0000000D.00000002.1821216472.00000000046D0000.00000002.00000001.sdmp, WMIC.exe, 00000011.00000002.1824339519.00000000033A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: agreement.exe, 00000003.00000002.2169560785.0000000000A00000.00000004.00000020.sdmpBinary or memory string: vmicheartbeat
Source: agreement.exe, 00000000.00000002.1783433498.0000000002640000.00000002.00000001.sdmp, vssadmin.exe, 00000004.00000002.1790304754.0000000004E70000.00000002.00000001.sdmp, WMIC.exe, 00000007.00000002.1794362523.0000000003550000.00000002.00000001.sdmp, vssadmin.exe, 00000009.00000002.1814152154.0000000004AE0000.00000002.00000001.sdmp, WMIC.exe, 0000000B.00000002.1818252122.0000000000C30000.00000002.00000001.sdmp, vssadmin.exe, 0000000D.00000002.1821216472.00000000046D0000.00000002.00000001.sdmp, WMIC.exe, 00000011.00000002.1824339519.00000000033A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\agreement.exeAPI call chain: ExitProcess graph end nodegraph_0-68712
Source: C:\Users\user\Desktop\agreement.exeAPI call chain: ExitProcess graph end nodegraph_0-67173
Source: C:\Users\user\Desktop\agreement.exeAPI call chain: ExitProcess graph end nodegraph_0-67424
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\agreement.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_024927EE rdtsc 0_2_024927EE
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004FE665 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004FE665
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00501A65 VirtualProtect ?,-00000001,00000104,?0_2_00501A65
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0065FAD0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0065FAD0
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_02490000 mov eax, dword ptr fs:[00000030h]0_2_02490000
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_024904C7 mov eax, dword ptr fs:[00000030h]0_2_024904C7
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0045C923 mov eax, dword ptr fs:[00000030h]3_2_0045C923
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_004649F7 mov eax, dword ptr fs:[00000030h]3_2_004649F7
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_00514471 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00514471
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004FE665 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004FE665
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_004FD752 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004FD752
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_004391F3 SetUnhandledExceptionFilter,3_2_004391F3
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0043812C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0043812C
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00439061 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00439061
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00453658 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00453658

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\agreement.exeMemory written: C:\Users\user\Desktop\agreement.exe base: 400000 value starts with: 4D5AJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
Source: C:\Users\user\Desktop\agreement.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic.exe SHADOWCOPY /nointeractiveJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: agreement.exe, 00000003.00000002.2169829733.0000000001090000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: agreement.exe, 00000003.00000002.2169829733.0000000001090000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: agreement.exe, 00000003.00000002.2169829733.0000000001090000.00000002.00000001.sdmpBinary or memory string: Progman
Source: agreement.exe, 00000003.00000002.2169829733.0000000001090000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\agreement.exeCode function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA,0_2_0040B65A
Source: C:\Users\user\Desktop\agreement.exeCode function: GetLocaleInfoA,0_2_00512A6E
Source: C:\Users\user\Desktop\agreement.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,3_2_00467681
Source: C:\Users\user\Desktop\agreement.exeCode function: ___crtGetLocaleInfoEx,3_2_004378FB
Source: C:\Users\user\Desktop\agreement.exeCode function: GetLocaleInfoW,3_2_00437D16
Source: C:\Users\user\Desktop\agreement.exeCode function: GetLocaleInfoW,3_2_0045FEEC
Source: C:\Users\user\Desktop\agreement.exeCode function: EnumSystemLocalesW,3_2_0045F8B2
Source: C:\Users\user\Desktop\agreement.exeCode function: EnumSystemLocalesW,3_2_00467972
Source: C:\Users\user\Desktop\agreement.exeCode function: EnumSystemLocalesW,3_2_00467927
Source: C:\Users\user\Desktop\agreement.exeCode function: EnumSystemLocalesW,3_2_00467A0D
Source: C:\Users\user\Desktop\agreement.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00467A9A
Source: C:\Users\user\Desktop\agreement.exeCode function: GetLocaleInfoW,3_2_00467CF0
Source: C:\Users\user\Desktop\agreement.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00467E18
Source: C:\Users\user\Desktop\agreement.exeCode function: GetLocaleInfoW,3_2_00467F20
Source: C:\Users\user\Desktop\agreement.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00467FF3
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_024927EE cpuid 0_2_024927EE
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_005025AB GetSystemTimeAsFileTime,__aulldiv,0_2_005025AB
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_00464198 _free,_free,_free,GetTimeZoneInformation,_free,3_2_00464198
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 0_2_0040E67A __EH_prolog3_GS,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpy,lstrcpy,EnumFontFamiliesA,EnumFontFamiliesA,lstrcpy,EnumFontFamiliesA,lstrcpy,lstrcpy,GetObjectA,GetObjectA,lstrcpy,GetStockObject,GetObjectA,__EH_prolog3_GS,GetVersionExA,KiUserCallbackDispatcher,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040E67A
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\agreement.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_0044A1B0 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,3_2_0044A1B0
Source: C:\Users\user\Desktop\agreement.exeCode function: 3_2_004494D4 Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,3_2_004494D4

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 200688 Sample: agreement.scr Startdate: 13/01/2020 Architecture: WINDOWS Score: 68 45 cdn.onenote.net 2->45 53 Multi AV Scanner detection for submitted file 2->53 55 Found Tor onion address 2->55 57 Deletes shadow drive data (may be related to ransomware) 2->57 9 agreement.exe 1 2->9         started        signatures3 process4 signatures5 59 Writes many files with high entropy 9->59 61 Injects a PE file into a foreign processes 9->61 12 agreement.exe 2 89 9->12         started        process6 dnsIp7 47 192.168.2.100 unknown unknown 12->47 49 192.168.2.101 unknown unknown 12->49 51 98 other IPs or domains 12->51 37 C:\Users\user\Desktop\LIJDSFKJZG.docx, data 12->37 dropped 39 C:\Users\user\Desktop\HMPPSXQPQV.xlsx, data 12->39 dropped 41 C:\Users\user\Desktop\...\QFAPOWPAFG.xlsx, data 12->41 dropped 43 23 other malicious files 12->43 dropped 63 Deletes shadow drive data (may be related to ransomware) 12->63 65 Modifies existing user documents (likely ransomware behavior) 12->65 17 WMIC.exe 1 12->17         started        19 WMIC.exe 1 12->19         started        21 WMIC.exe 1 12->21         started        23 3 other processes 12->23 file8 signatures9 process10 process11 25 conhost.exe 17->25         started        27 conhost.exe