Loading ...

Play interactive tourEdit tour

Analysis Report NetworkWizardLoader-86a23541.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:201054
Start date:15.01.2020
Start time:02:39:37
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 11s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:NetworkWizardLoader-86a23541.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:12
Number of new started drivers analysed:2
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.evad.winEXE@9/10@4/1
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 91.4%)
  • Quality average: 74.7%
  • Quality standard deviation: 30.9%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe, WmiPrvSE.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 13.68.93.109, 20.36.222.39, 20.36.218.70, 20.45.4.77, 40.90.22.192, 40.90.22.184, 40.90.22.185, 51.105.249.239
  • Excluded domains from analysis (whitelisted): fe2.update.microsoft.com.nsatc.net, sls.emea.update.microsoft.com.akadns.net, client.wns.windows.com, fe2.update.microsoft.com, lgin.msa.trafficmanager.net, am3p.wns.notify.windows.com.akadns.net, login.live.com, emea1.notify.windows.com.akadns.net, sls.update.microsoft.com.akadns.net, sls.update.microsoft.com, wns.notify.windows.com.akadns.net, login.msa.msidentity.com
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size exceeded maximum capacity and may have missing network information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold640 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation111LSASS Driver1Exploitation for Privilege Escalation1Disabling Security Tools1Input Capture1System Time Discovery1Remote File Copy1Input Capture1Data Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Modify Existing Service1Process Injection12Software Packing21Network SniffingSecurity Software Discovery221Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1New Service1New Service1Deobfuscate/Decode Files or Information1Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseCommand-Line Interface2System FirmwareDLL Search Order HijackingObfuscated Files or Information21Credentials in FilesSystem Information Discovery35Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationLSASS Driver1Shortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationVirtualization/Sandbox Evasion21Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion21Brute ForceProcess Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection12Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: NetworkWizardLoader-86a23541.exeVirustotal: Detection: 42%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: NetworkWizardLoader-86a23541.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 7.0.WinHelper.exe.9e0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeCode function: 0_2_0042060A __vbaStrToAnsi,__vbaSetSystemError,__vbaStrToUnicode,__vbaFreeStr,__vbaStrCopy,__vbaFreeStr,#644,#644,URLDownloadToFileW,__vbaSetSystemError,__vbaInStr,__vbaStrCopy,__vbaFreeStr,#712,__vbaStrMove,__vbaStrToAnsi,__vbaSetSystemError,__vbaStrToUnicode,__vbaFreeStr,#644,#644,__vbaSetSystemError,__vbaStrCat,__vbaStrMove,__vbaFreeStr,__vbaStrCopy,__vbaFreeStr,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaStrI4,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaStrCopy,__vbaFreeStr,0_2_0042060A
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: cloudpath.unh.edu
Urls found in memory or binary dataShow sources
Source: Cloudpath.exe, 00000004.00000002.2177642822.000000000211B000.00000002.00020000.sdmp, Cloudpath.exe.0.drString found in binary or memory: http://bugreports.qt.io/
Source: Cloudpath.exe, 00000004.00000002.2177642822.000000000211B000.00000002.00020000.sdmp, Cloudpath.exe.0.drString found in binary or memory: http://bugreports.qt.io/_q_receiveReplyMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogi
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000003.1819326502.000000000456C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000003.1820445410.00000000007FC000.00000004.00000001.sdmp, Cloudpath.exe, 00000004.00000002.2205239412.000000000B67A000.00000004.00000001.sdmpString found in binary or memory: http://crl.incommon-rsa.org/InCommonRSAServerCA.crl0u
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: Cloudpath.exe, 00000004.00000002.2185080670.0000000007590000.00000004.00000001.sdmpString found in binary or memory: http://crl.u
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000003.1820445410.00000000007FC000.00000004.00000001.sdmpString found in binary or memory: http://crt.usertrust.X
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000003.1820445410.00000000007FC000.00000004.00000001.sdmpString found in binary or memory: http://csertrust.com/InCommonRSAServ
Source: Cloudpath.exe, 00000004.00000002.2176952557.0000000001EAF000.00000002.00020000.sdmp, Cloudpath.exe.0.drString found in binary or memory: http://fontello.com
Source: Cloudpath.exe, 00000004.00000002.2176952557.0000000001EAF000.00000002.00020000.sdmp, Cloudpath.exe.0.drString found in binary or memory: http://fontello.comhttp://fontello.com
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822997322.000000000081C000.00000004.00000001.sdmp, Cloudpath.exe, 00000004.00000000.1815210390.0000000001BD7000.00000002.00020000.sdmp, Cloudpath.exe.0.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822997322.000000000081C000.00000004.00000001.sdmp, Cloudpath.exe, 00000004.00000000.1815210390.0000000001BD7000.00000002.00020000.sdmp, Cloudpath.exe.0.drString found in binary or memory: http://t2.symcb.com0
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: http://tl.symcd.com0&
Source: Cloudpath.exe, 00000004.00000000.1815210390.0000000001BD7000.00000002.00020000.sdmp, Cloudpath.exe.0.drString found in binary or memory: http://www.amazon.com/gp/mas/dl/android?p=net.cloudpath.xpressconnect
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: http://www.cloudpath.net/0
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: http://www.openssl.org/)
Source: NetworkWizardLoader-86a23541.exe, Cloudpath.exe.0.drString found in binary or memory: http://www.ruckuswireless.com
Source: Cloudpath.exe, 00000004.00000002.2175949257.0000000001A91000.00000002.00020000.sdmp, Cloudpath.exe.0.drString found in binary or memory: http://www.ruckuswireless.comCopyright
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: Cloudpath.exe, 00000004.00000002.2183761345.0000000005E96000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822997322.000000000081C000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.u?
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822997322.000000000081C000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.e
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmp, NetworkWizardLoader-86a23541.exe, 00000000.00000003.1819326502.000000000456C000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000003.1819326502.000000000456C000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/D
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unH
Source: Cloudpath.exe, 00000004.00000002.2205239412.000000000B67A000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1825374943.0000000004560000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/0
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/sec
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1825374943.0000000004560000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wiz
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1825374943.0000000004560000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizarP
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/
Source: Cloudpath.exe, 00000004.00000002.2185080670.0000000007590000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/etwork_config.xml
Source: Cloudpath.exe, 00000004.00000002.2205239412.000000000B67A000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/generat
Source: Cloudpath.exe, 00000004.00000002.2181563201.0000000005590000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/generateCertificate?csr=$
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000003.1819956232.00000000007E0000.00000004.00000001.sdmp, NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmp, Cloudpath.exe, 00000004.00000002.2205239412.000000000B67A000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/images/logo.png
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/images/logo.png120531151137Z0
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000003.1819326502.000000000456C000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/images/logo.pngQ
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/images/logo.pngon...to
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/installs/Cloudpath.exe
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/installs/Cloudpath.exeto
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/installs/Cloudpath.exeuB
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/installs/Cloudpath.exews
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822997322.000000000081C000.00000004.00000001.sdmp, NetworkWizardLoader-86a23541.exe, 00000000.00000002.1821804164.0000000000580000.00000004.00000020.sdmp, Cloudpath.exe, 00000004.00000002.2178977598.00000000026C0000.00000004.00000020.sdmp, Cloudpath.exe, 00000004.00000002.2186295151.0000000007D09000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/network_config.xml
Source: Cloudpath.exe, 00000004.00000002.2185770784.0000000007841000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/pipe/postData.php
Source: Cloudpath.exe, 00000004.00000002.2185770784.0000000007841000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/pipe/postData.phpoved.
Source: Cloudpath.exe, 00000004.00000002.2194799364.000000000A33F000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/system_config.xml
Source: Cloudpath.exe, 00000004.00000002.2186047383.0000000007941000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/system_config.xml27
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/system_config.xml?code=86a23541
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822468688.0000000000778000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/system_config.xml?code=86a23541R
Source: Cloudpath.exe, 00000004.00000002.2205239412.000000000B67A000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools
Source: Cloudpath.exe, 00000004.00000002.2205239412.000000000B67A000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools$
Source: Cloudpath.exe, 00000004.00000002.2205239412.000000000B67A000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestamp
Source: Cloudpath.exe, 00000004.00000002.2194799364.000000000A33F000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestamp#
Source: Cloudpath.exe, 00000004.00000002.2185770784.0000000007841000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestamp408
Source: Cloudpath.exe, 00000004.00000002.2194799364.000000000A33F000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestamp5_vY
Source: Cloudpath.exe, 00000004.00000002.2194799364.000000000A33F000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestamp6
Source: Cloudpath.exe, 00000004.00000002.2185770784.0000000007841000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestamp7344a
Source: Cloudpath.exe, 00000004.00000002.2201905990.000000000B307000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestamp?
Source: Cloudpath.exe, 00000004.00000002.2201905990.000000000B307000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestampJ
Source: Cloudpath.exe, 00000004.00000002.2201905990.000000000B307000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestampc
Source: Cloudpath.exe, 00000004.00000002.2185770784.0000000007841000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestamph
Source: Cloudpath.exe, 00000004.00000002.2194799364.000000000A33F000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestampi_
Source: Cloudpath.exe, 00000004.00000002.2194799364.000000000A33F000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/tools/timestampvQ
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1825374943.0000000004560000.00000004.00000001.sdmpString found in binary or memory: https://cloudpath.unh.edu/enroll/unh/secure/wizard/p
Source: Cloudpath.exe, 00000004.00000000.1815210390.0000000001BD7000.00000002.00020000.sdmp, Cloudpath.exe.0.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822997322.000000000081C000.00000004.00000001.sdmpString found in binary or memory: https://login.live.comvironment...
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: https://sectigo.com/CPS0B
Source: Cloudpath.exe, 00000004.00000002.2181882927.0000000005690000.00000004.00000001.sdmp, Cloudpath.exe.0.drString found in binary or memory: https://www.gnu.org/licenses/gpl-2.0.html
Source: Cloudpath.exe, 00000004.00000002.2181882927.0000000005690000.00000004.00000001.sdmp, Cloudpath.exe.0.drString found in binary or memory: https://www.gnu.org/licenses/gpl-3.0.html.
Source: Cloudpath.exe, 00000004.00000002.2181882927.0000000005690000.00000004.00000001.sdmp, Cloudpath.exe.0.drString found in binary or memory: https://www.gnu.org/licenses/lgpl-3.0.html.
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000003.1820445410.00000000007FC000.00000004.00000001.sdmp, Cloudpath.exe, 00000004.00000002.2205239412.000000000B67A000.00000004.00000001.sdmpString found in binary or memory: https://www.incommon.org/cert/repository/cps_ssl.pdf0
Source: Cloudpath.exe, 00000004.00000002.2181882927.0000000005690000.00000004.00000001.sdmp, Cloudpath.exe.0.drString found in binary or memory: https://www.qt.io/contact-us.
Source: Cloudpath.exe, 00000004.00000002.2181882927.0000000005690000.00000004.00000001.sdmp, Cloudpath.exe.0.drString found in binary or memory: https://www.qt.io/licensing/
Source: Cloudpath.exe, 00000004.00000002.2181882927.0000000005690000.00000004.00000001.sdmp, Cloudpath.exe.0.drString found in binary or memory: https://www.qt.io/terms-conditions.
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: https://www.thawte.com/cps0/
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: https://www.thawte.com/repository0W
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822372555.0000000000750000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeCode function: 0_2_00423EA00_2_00423EA0
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A6503B7_2_00A6503B
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A730607_2_00A73060
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A582577_2_00A58257
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A5A2507_2_00A5A250
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A503ED7_2_00A503ED
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A503407_2_00A50340
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A3F5AD7_2_00A3F5AD
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A3C6237_2_00A3C623
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A5B7307_2_00A5B730
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A748427_2_00A74842
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A419AD7_2_00A419AD
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A7496B7_2_00A7496B
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A55A1C7_2_00A55A1C
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A55C4C7_2_00A55C4C
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A3CE097_2_00A3CE09
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A55E7C7_2_00A55E7C
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A57F007_2_00A57F00
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: String function: 009E15B6 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: String function: 00A39250 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: String function: 00A37FF9 appears 108 times
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeCode function: String function: 00403588 appears 213 times
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeCode function: String function: 0040359A appears 171 times
PE file contains strange resourcesShow sources
Source: NetworkWizardLoader-86a23541.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: NetworkWizardLoader-86a23541.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Cloudpath[1].exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Cloudpath.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WinHelper.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000000.1749239326.000000000043B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamexc_loader_exe.exe vs NetworkWizardLoader-86a23541.exe
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1825224497.0000000004510000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs NetworkWizardLoader-86a23541.exe
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1825152966.0000000003060000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs NetworkWizardLoader-86a23541.exe
Source: NetworkWizardLoader-86a23541.exeBinary or memory string: OriginalFilenamexc_loader_exe.exe vs NetworkWizardLoader-86a23541.exe
Spawns driversShow sources
Source: unknownDriver loaded: C:\Windows\system32\DRIVERS\nwifi.sys
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: WinHelper.exe.4.drStatic PE information: Section: UPX1 ZLIB complexity 0.990305397727
Source: WinHelper64.exe.4.drStatic PE information: Section: UPX1 ZLIB complexity 0.989141449849
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: Cloudpath.exe.0.drBinary string: \DEVICE\
Binary contains paths to development resourcesShow sources
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1821264433.0000000000439000.00000004.00020000.sdmpBinary or memory string: k@*\Ac:\j\workspace\WZCF\OCBJ\WZ-EX_Build_xc_loader_exe\dev\version_5.0\xc_loader_activex\current\src\xc_loader_exe.vbp
Source: NetworkWizardLoader-86a23541.exeBinary or memory string: C*\Ac:\j\workspace\WZCF\OCBJ\WZ-EX_Build_xc_loader_exe\dev\version_5.0\xc_loader_activex\current\src\xc_loader_exe.vbp
Source: Cloudpath.exe, 00000004.00000002.2177642822.000000000211B000.00000002.00020000.sdmpBinary or memory string: com.slnishinomiya.hyogo.jpkustanai.rucom.snpassenger-association.aerocom.sotsushima.nagasaki.jpcom.stuy.comx.seisa-geek.comcom.sv
Classification labelShow sources
Source: classification engineClassification label: mal64.evad.winEXE@9/10@4/1
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Cloudpath[1].exeJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeMutant created: \Sessions\1\BaseNamedObjects\QtLockedFile mutex c:/users/user/appdata/local/temp/qtsingleapp-cloudp-9934-1-lockfile
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:832:120:WilError_01
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeFile created: c:\users\user\appdata\local\temp\CloudpathJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: NetworkWizardLoader-86a23541.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT AddressWidth FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: NetworkWizardLoader-86a23541.exeVirustotal: Detection: 42%
Sample might require command line argumentsShow sources
Source: WinHelper.exeString found in binary or memory: An empty service start/stop value was provided to changeServiceState()!
Source: WinHelper.exeString found in binary or memory: An empty service start/stop value was provided to changeServiceState()!
Source: NetworkWizardLoader-86a23541.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exe 'C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd' /C start 'Cloudpath' /B 'c:\users\user\appdata\local\temp\\Cloudpath\Cloudpath.exe' -temp -name University of New Hampshire -url https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/network_config.xml
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exe 'c:\users\user\appdata\local\temp\\Cloudpath\Cloudpath.exe' -temp -name University of New Hampshire -url https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/network_config.xml
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exe 'C:\Users\user\appdata\local\temp\Cloudpath\WinHelper.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd' /C start 'Cloudpath' /B 'c:\users\user\appdata\local\temp\\Cloudpath\Cloudpath.exe' -temp -name University of New Hampshire -url https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/network_config.xml Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exe 'c:\users\user\appdata\local\temp\\Cloudpath\Cloudpath.exe' -temp -name University of New Hampshire -url https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/network_config.xml Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess created: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exe 'C:\Users\user\appdata\local\temp\Cloudpath\WinHelper.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A47B96 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_00A47B96
PE file contains an invalid checksumShow sources
Source: Cloudpath[1].exe.0.drStatic PE information: real checksum: 0x13abdc4 should be:
Source: NetworkWizardLoader-86a23541.exeStatic PE information: real checksum: 0x104210 should be: 0x103aea
Source: Cloudpath.exe.0.drStatic PE information: real checksum: 0x13abdc4 should be:
PE file contains sections with non-standard namesShow sources
Source: Cloudpath[1].exe.0.drStatic PE information: section name: .qtmetad
Source: Cloudpath.exe.0.drStatic PE information: section name: .qtmetad
Source: WinHelper64.exe.4.drStatic PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeCode function: 0_2_0040240A push esp; retn 0042h0_2_0040241D
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A39296 push ecx; ret 7_2_00A392A9
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A37FD3 push ecx; ret 7_2_00A37FE6
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeFile created: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeFile created: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeJump to dropped file
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeFile created: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeJump to dropped file
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Cloudpath[1].exeJump to dropped file

Boot Survival:

barindex
Creates or modifies windows servicesShow sources
Source: C:\Windows\system32\DRIVERS\nwifi.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NativeWifiPJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : Select * from Win32_NetworkAdapter
Query firmware table information (likely to detect VMs)Show sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeSystem information queried: FirmwareTableInformationJump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper64.exeJump to dropped file
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeAPI coverage: 2.9 %
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT AddressWidth FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Cloudpath.exe.0.drBinary or memory string: VMware
Source: Cloudpath.exe, 00000004.00000002.2179722163.0000000004460000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Cloudpath.exe, 00000004.00000002.2182320844.000000000580C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: Cloudpath.exe.0.drBinary or memory string: FUnable to get version data from WMI. Trying the registry.Unable to get version data from the registry. Trying the old method (the data will probably be wrong!)Unable to find a useful source for the version information on this machine!!---> Gathering Windows version information.select Caption, Version, ServicePackMajorVersion, ServicePackMinorVersion, BuildNumber from Win32_OperatingSystemWMI Version returned : Couldn't get version information via WMI. Will use GetVersionEx() which will probably be wrong!WMI Build Number returned : ServicePackMajorVersionWMI Service Pack returned : Couldn't get service pack version information via WMI. Will use GetVersionEx() which will probably be wrong!WMI OS Version : ---> Done gathering Windows version information.AMD6464ARMIA64x8632MIPSPPCSHXALPHAALPHA64MSILUnknown/Unexpected architecture! (Type = Unknown/Unexpected architecture! Bit depth unknown! processors/cores/hyperthreads)---> Gathering Windows version information. (Method 2)OS version is : GetVersionEx() Os
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000003.1819956232.00000000007E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: NetworkWizardLoader-86a23541.exe, 00000000.00000002.1822528322.0000000000794000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW(
Source: Cloudpath.exe, 00000004.00000002.2178343545.0000000002374000.00000008.00020000.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@db.
Source: Cloudpath.exe, 00000004.00000002.2179722163.0000000004460000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Cloudpath.exe, 00000004.00000002.2179722163.0000000004460000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Cloudpath.exe, 00000004.00000002.2178343545.0000000002374000.00000008.00020000.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
Source: Cloudpath.exe, 00000004.00000000.1814802735.0000000001A9F000.00000002.00020000.sdmpBinary or memory string: Unable to get version data from WMI. Trying the registry.Unable to get version data from the registry. Trying the old method (the data will probably be wrong!)Unable to find a useful source for the version information on this machine!!---> Gathering Windows version information.select Caption, Version, ServicePackMajorVersion, ServicePackMinorVersion, BuildNumber from Win32_OperatingSystemWMI Version returned : Couldn't get version information via WMI. Will use GetVersionEx() which will probably be wrong!WMI Build Number returned : ServicePackMajorVersionWMI Service Pack returned : Couldn't get service pack version information via WMI. Will use GetVersionEx() which will probably be wrong!WMI OS Version : ---> Done gathering Windows version information.AMD6464ARMIA64x8632MIPSPPCSHXALPHAALPHA64MSILUnknown/Unexpected architecture! (Type = Unknown/Unexpected architecture! Bit depth unknown! processors/cores/hyperthreads)---> Gathering Windows version information. (Method 2)OS version is : GetVersionEx() Os V
Source: Cloudpath.exe, 00000004.00000002.2179722163.0000000004460000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A3944E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00A3944E
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A47B96 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_00A47B96
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A6D926 mov eax, dword ptr fs:[00000030h]7_2_00A6D926
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A62B67 mov eax, dword ptr fs:[00000030h]7_2_00A62B67
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A3944E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00A3944E
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A5359E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00A5359E
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A38ACA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00A38ACA

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeCode function: 0_2_00430DF8 __vbaChkstk,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaLenBstr,__vbaStrCopy,__vbaStrCat,__vbaStrMove,__vbaStrCmp,__vbaStrCmp,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaStrCopy,#593,__vbaFpI4,__vbaFreeVar,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStr,__vbaStrCat,__vbaStrMove,__vbaStrI4,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaFreeVar,__vbaStrCopy,__vbaFreeStr,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeVar,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStr,__vbaStrCat,__vbaStrMove,__vbaStrI4,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaFreeVar,__vbaStrCopy,__vbaFreeStr,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeVar,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaStrCopy,__vba0_2_00430DF8
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd' /C start 'Cloudpath' /B 'c:\users\user\appdata\local\temp\\Cloudpath\Cloudpath.exe' -temp -name University of New Hampshire -url https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/network_config.xml Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exe 'c:\users\user\appdata\local\temp\\Cloudpath\Cloudpath.exe' -temp -name University of New Hampshire -url https://cloudpath.unh.edu/enroll/unh/secure/wizard/27/network_config.xml Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Cloudpath.exe, 00000004.00000002.2179532634.0000000002F90000.00000002.00000001.sdmp, WinHelper.exe, 00000007.00000002.2206435431.0000000001360000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: Cloudpath.exe, 00000004.00000002.2179532634.0000000002F90000.00000002.00000001.sdmp, WinHelper.exe, 00000007.00000002.2206435431.0000000001360000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Cloudpath.exe, 00000004.00000002.2179532634.0000000002F90000.00000002.00000001.sdmp, WinHelper.exe, 00000007.00000002.2206435431.0000000001360000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Cloudpath.exe, 00000004.00000002.2179532634.0000000002F90000.00000002.00000001.sdmp, WinHelper.exe, 00000007.00000002.2206435431.0000000001360000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: GetLocaleInfoW,7_2_00A6C05B
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,7_2_00A714B1
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: EnumSystemLocalesW,7_2_00A71729
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: EnumSystemLocalesW,7_2_00A71774
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: EnumSystemLocalesW,7_2_00A7180F
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: EnumSystemLocalesW,7_2_00A6BA08
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_00A71C15
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_00A71DEF
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A392AB cpuid 7_2_00A392AB
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A39605 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,RtlQueryPerformanceCounter,7_2_00A39605
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A3F2E8 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,7_2_00A3F2E8
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificatesShow sources
Source: C:\Users\user\Desktop\NetworkWizardLoader-86a23541.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 BlobJump to behavior

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A4A804 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,7_2_00A4A804
Source: C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exeCode function: 7_2_00A49B2E Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,7_2_00A49B2E

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 201054 Sample: NetworkWizardLoader-86a23541.exe Startdate: 15/01/2020 Architecture: WINDOWS Score: 64 43 Multi AV Scanner detection for submitted file 2->43 45 Machine Learning detection for sample 2->45 9 NetworkWizardLoader-86a23541.exe 21 2->9         started        13 nwifi.sys 5 2->13         started        15 ndisuio.sys 2->15         started        process3 dnsIp4 41 cloudpath.unh.edu 132.177.239.220, 443, 49719, 49720 unknown United States 9->41 35 C:\Users\user\AppData\Local\...\Cloudpath.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\...\Cloudpath[1].exe, PE32 9->37 dropped 17 cmd.exe 1 9->17         started        file5 process6 process7 19 Cloudpath.exe 7 17->19         started        24 conhost.exe 17->24         started        dnsIp8 39 cloudpath.unh.edu 19->39 31 C:\Users\user\AppData\Local\...\WinHelper.exe, PE32 19->31 dropped 33 C:\Users\user\AppData\...\WinHelper64.exe, PE32+ 19->33 dropped 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->47 49 Query firmware table information (likely to detect VMs) 19->49 26 WinHelper.exe 1 19->26         started        file9 signatures10 process11 signatures12 51 Machine Learning detection for dropped file 26->51 29 conhost.exe 26->29         started        process13

Simulations

Behavior and APIs

TimeTypeDescription
02:41:06API Interceptor3x Sleep call for process: Cloudpath.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NetworkWizardLoader-86a23541.exe42%VirustotalBrowse
NetworkWizardLoader-86a23541.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\Cloudpath[1].exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Cloudpath\Cloudpath.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exe1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper.exe0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper64.exe4%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Cloudpath\WinHelper64.exe0%MetadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
7.2.WinHelper.exe.9e0000.0.unpack100%AviraHEUR/AGEN.1044393Download File
7.0.WinHelper.exe.9e0000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.incommon.org/cert/repository/cps_ssl.pdf00%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://crl.incommon-rsa.org/InCommonRSAServerCA.crl0u0%Avira URL Cloudsafe
http://crt.usertrust.X0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://cloudpath.unh.e0%Avira URL Cloudsafe
http://www.tiro.com0%VirustotalBrowse
http://www.tiro.com0%Avira URL Cloudsafe
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%VirustotalBrowse
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%URL Reputationsafe
http://www.goodfont.co.kr0%VirustotalBrowse
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.sajatypeworks.com0%VirustotalBrowse
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://fontfabrik.com0%VirustotalBrowse
http://fontfabrik.com0%URL Reputationsafe
https://sectigo.com/CPS0B0%VirustotalBrowse
https://sectigo.com/CPS0B0%URL Reputationsafe
http://www.sandoll.co.kr0%VirustotalBrowse
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.zhongyicts.com.cn0%VirustotalBrowse
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%VirustotalBrowse
http://www.sakkal.com0%URL Reputationsafe
https://cloudpath.u?0%Avira URL Cloudsafe
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%VirustotalBrowse
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%URL Reputationsafe
http://csertrust.com/InCommonRSAServ0%Avira URL Cloudsafe
http://fontello.comhttp://fontello.com0%Avira URL Cloudsafe
http://www.ruckuswireless.comCopyright0%Avira URL Cloudsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.founder.com.cn/cn0%VirustotalBrowse
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.cloudpath.net/00%Avira URL Cloudsafe
http://crl.u0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownw46LaprMSv.jsGet hashmaliciousBrowse
  • 172.217.23.194
yqNkJkKn7ZGet hashmaliciousBrowse
  • 172.217.23.238
Shippinginfo.jarGet hashmaliciousBrowse
  • 192.169.69.25
Shippinginfo.jarGet hashmaliciousBrowse
  • 192.169.69.25
conhost.jarGet hashmaliciousBrowse
  • 192.99.200.121
conhost.jarGet hashmaliciousBrowse
  • 192.99.200.121
11.pptxGet hashmaliciousBrowse
  • 167.172.135.115
http://www.arcademan.netGet hashmaliciousBrowse
  • 195.22.26.248
http://hazel-azure.co.th/application/balance/eglensz1h/pg14fvn-1947023551-97569615-c5eug91xl2-2t537m16teyu/Get hashmaliciousBrowse
  • 104.31.94.232
https://landsferorqui1973.blogspot.se/Get hashmaliciousBrowse
  • 46.51.179.90
https://sway.office.com/wswbU96OMtCDW5O7?ref=LinkGet hashmaliciousBrowse
  • 104.31.86.85
malware.htmlGet hashmaliciousBrowse
  • 95.216.109.66
https://scl.org.sg/mxxs/moss/webnet.php?code=3D2018900Get hashmaliciousBrowse
  • 128.199.156.66
http://staging.fhaloansearch.com/wp-admin/parts_service/evq-6957-5295-ko4oip2xcv-y8723/Get hashmaliciousBrowse
  • 104.31.94.232
https://innovacionquimica.com/home/images/css/office/Get hashmaliciousBrowse
  • 173.231.205.216
11.pptxGet hashmaliciousBrowse
  • 167.172.135.115
ctSgOJ9Fdk.vbsGet hashmaliciousBrowse
  • 18.217.136.142
burnaware_free_12.9.exeGet hashmaliciousBrowse
  • 104.18.88.101
http://staging.theinnerpeaceguru.com/ucx/Overview/gla7ha-20516-398-4ywgobrmv98-dco4sy8oa16kGet hashmaliciousBrowse
  • 106.14.122.145

JA3 Fingerprints

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
3b5074b1b5d032e5620f69f9f700ff0ePURCHASE INQUIRY.exeGet hashmaliciousBrowse
  • 132.177.239.220
atlassian companion (1).exeGet hashmaliciousBrowse
  • 132.177.239.220
http://rzr.to/cortex-downloadGet hashmaliciousBrowse
  • 132.177.239.220
IDriveWinSetup.exeGet hashmaliciousBrowse
  • 132.177.239.220
uTorrent.exeGet hashmaliciousBrowse
  • 132.177.239.220
protected_19C48D0.exeGet hashmaliciousBrowse
  • 132.177.239.220
Request for quotations D4%09December_shipment.exeGet hashmaliciousBrowse
  • 132.177.239.220
https://chocolatey.org/install.ps1Get hashmaliciousBrowse
  • 132.177.239.220
WestpacBankconnect_640889263_8aff.exeGet hashmaliciousBrowse
  • 132.177.239.220
GrammarlyAddInSetup.exeGet hashmaliciousBrowse
  • 132.177.239.220
payment notice.jpg.lnkGet hashmaliciousBrowse
  • 132.177.239.220
payment_slip.exeGet hashmaliciousBrowse
  • 132.177.239.220
ChangeWallpaper.exeGet hashmaliciousBrowse
  • 132.177.239.220
Agent_Install.exeGet hashmaliciousBrowse
  • 132.177.239.220
17invoice-120.exeGet hashmaliciousBrowse
  • 132.177.239.220
14invoice.exeGet hashmaliciousBrowse
  • 132.177.239.220
59SHIPPING FREIGHT SETS OF DOCUMENTS FOR shippment vessel 25.09.2019 pdf.exeGet hashmaliciousBrowse
  • 132.177.239.220
70MT103 BANK TT ADVICE PAYMENT SWIFT COPY 25.09.2019 pdf.exeGet hashmaliciousBrowse
  • 132.177.239.220
68invoice.exeGet hashmaliciousBrowse
  • 132.177.239.220
Request for Quotation AGP Global Group LLC No. 219007290.exeGet hashmaliciousBrowse
  • 132.177.239.220
37f463bf4616ecd445d4a1937da06e19w46LaprMSv.jsGet hashmaliciousBrowse
  • 132.177.239.220
11.pptxGet hashmaliciousBrowse
  • 132.177.239.220
https://scl.org.sg/mxxs/moss/webnet.php?code=3D2018900Get hashmaliciousBrowse
  • 132.177.239.220
https://innovacionquimica.com/home/images/css/office/Get hashmaliciousBrowse
  • 132.177.239.220
11.pptxGet hashmaliciousBrowse
  • 132.177.239.220
https://eyeseelondon.com/cbbd/?hg783478238_______43843884389___ewa.mamczur@foxtrading.co.ukGet hashmaliciousBrowse
  • 132.177.239.220
https://mediolaperon.com/wp/wp-content/themes/mediolanum/verifica/F-378563524/computer.phpGet hashmaliciousBrowse
  • 132.177.239.220
https://www.eczacibasiprofesyonel.com/ep/em.php?e=Get hashmaliciousBrowse
  • 132.177.239.220
https://meerorg.comGet hashmaliciousBrowse
  • 132.177.239.220
MRPVXU9OYWUFSM98KZKG.EXEGet hashmaliciousBrowse
  • 132.177.239.220
https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.vijayvyas.com_wp-2Dcontent_bAgTAe_&d=DwIFaQ&c=jvUANN7rYqzaQJvTqI-69lgi41yDEZ3CXTgIEaHlx7c&r=o2hi9JduO5mnrsqy7n2vEn8R7-GHmVNL9iXzxV8H8gk&m=wfAgrJS9iZF1EWlgWNpKeqqZH8cX3woJUu55b8oJgDA&s=We7lH6iTCs-5p2QlAtkV3y_kq_VuVs85ioW42Ou16bc&e=Get hashmaliciousBrowse
  • 132.177.239.220
https://u13768798.ct.sendgrid.net/wf/click?upn=3EIpOg4GOm-2BJi5yide19-2BqtWly8JcqDrXVwI62g8uBXeYmHCrifoupqPAaO1-2F6VqS-2FTH9hApMT7-2BTggv-2FNnBQywmSotYbqRuzRSFh8YbFMc-3D_vfsccd-2BITzNhscOehaNX-2BcSmlVYlAVsrBnpoIZ7cC9FKvP1oa-2FsMFvS4SSQCM81F-2Fcad7Q4hBbcUpNmOt2UViU-2BXQgtnZ0VonhyGJbOzpYhT38ZLf3kMKq8kftBA5kWuF6LZ4FuuwDX0ttNVUI1GtjqOHBpirskTIIHerkrx1OBk9bRp-2FctjgLmvRu-2F1Ptu4qCqVnA3pPXi5sWjSHRzDw5czTY6N1NgCwB7-2B2yTZjY2ISNM2dPE3SJG0M6nbxp6-2BJUychHq5dac3nL-2BU9fEsHg10eNH8Xq26W1fX9-2BtfHcNn0V-2FOJJQci83Hxj-2Blf6MXqwDTY0-2BGqlYcZtv1DdxkL-2Ffq-2BBE5dpwzolRpWZIP3CY-3DGet hashmaliciousBrowse
  • 132.177.239.220
Payment.exeGet hashmaliciousBrowse
  • 132.177.239.220
http://www.mediafire.com/file/tkhmcila709n3du/JUSTIF.7z/fileGet hashmaliciousBrowse
  • 132.177.239.220
ADNOC RFQ 97571784 - Purchase - core store Mussafah - Commercial.exeGet hashmaliciousBrowse
  • 132.177.239.220
Maria resume.docGet hashmaliciousBrowse
  • 132.177.239.220
ADNOC RFQ - VENDOR 3 YEARS SUPPLY CONTRACT (RENEWAL OF LTPA 62431092).exeGet hashmaliciousBrowse
  • 132.177.239.220
https://dromp.co.uk/en/Voice mail iphone/iphone/Get hashmaliciousBrowse
  • 132.177.239.220
p.exeGet hashmaliciousBrowse
  • 132.177.239.220
Y5Yh5s5S8x.exeGet hashmaliciousBrowse
  • 132.177.239.220

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.