Loading ...

Play interactive tourEdit tour

Analysis Report IAwpoae00f.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218145
Start date:26.03.2020
Start time:09:43:50
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 49s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:IAwpoae00f.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.evad.winEXE@4/2@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 61% (good quality ratio 36.4%)
  • Quality average: 35%
  • Quality standard deviation: 35.1%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold840 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsRundll321Application Shimming1Access Token Manipulation1Access Token Manipulation1Input Capture11System Time Discovery11Application Deployment SoftwareInput Capture11Data Encrypted1Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaExecution through API3Registry Run Keys / Startup Folder1Process Injection2Process Injection2Network SniffingProcess Discovery1Remote ServicesClipboard Data1Exfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesApplication Shimming1Deobfuscate/Decode Files or Information1Input CaptureApplication Window Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingRundll321Credentials in FilesSecurity Software Discovery21Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Information Discovery15Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeAvira: detection malicious, Label: HEUR/AGEN.1014677
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lllp.exeAvira: detection malicious, Label: HEUR/AGEN.1014677
Antivirus detection for sampleShow sources
Source: IAwpoae00f.exeAvira: detection malicious, Label: HEUR/AGEN.1014677
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lllp.exeVirustotal: Detection: 80%Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lllp.exeMetadefender: Detection: 68%Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lllp.exeReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeVirustotal: Detection: 81%Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeMetadefender: Detection: 68%Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeReversingLabs: Detection: 82%
Multi AV Scanner detection for submitted fileShow sources
Source: IAwpoae00f.exeVirustotal: Detection: 60%Perma Link
Source: IAwpoae00f.exeReversingLabs: Detection: 74%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: IAwpoae00f.exeJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D933A8 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,GetLastError,SetCurrentDirectoryA,0_2_00007FF790D933A8

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D9D0F8 FindFirstFileA,0_2_00007FF790D9D0F8
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D923BC FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF790D923BC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_004053E4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_004053E4

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042472C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,2_2_0042472C
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0043DD34 GetKeyboardState,2_2_0043DD34

System Summary:

barindex
Abnormal high CPU UsageShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeProcess Stats: CPU usage > 98%
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0045B7B8 NtdllDefWindowProc_A,2_2_0045B7B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0045C010 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_0045C010
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00450AE4 GetSubMenu,SaveDC,RestoreDC,7337B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,2_2_00450AE4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00440CB0 NtdllDefWindowProc_A,GetCapture,2_2_00440CB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042B77C NtdllDefWindowProc_A,2_2_0042B77C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0045BF60 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_0045BF60
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D92F54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF790D92F54
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D91FF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF790D91FF4
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D9D428 ExitWindowsEx,0_2_00007FF790D9D428
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D920E80_2_00007FF790D920E8
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D95F800_2_00007FF790D95F80
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D966900_2_00007FF790D96690
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D943600_2_00007FF790D94360
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D96C540_2_00007FF790D96C54
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D91FF40_2_00007FF790D91FF4
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D930A40_2_00007FF790D930A4
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D939400_2_00007FF790D93940
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00450AE42_2_00450AE4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00455CB02_2_00455CB0
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: String function: 00404088 appears 75 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: String function: 004063B4 appears 62 times
PE file contains executable resources (Code or Archives)Show sources
Source: IAwpoae00f.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 643022 bytes, 2 files
Source: rrrp.exe.0.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: lllp.exe.0.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM)
PE file contains strange resourcesShow sources
Source: IAwpoae00f.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IAwpoae00f.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: IAwpoae00f.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rrrp.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: lllp.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: lllp.exe.0.drStatic PE information: Resource name: RT_STRING type: Motorola S-Record; binary data in text format
Sample file is different than original file name gathered from version infoShow sources
Source: IAwpoae00f.exeBinary or memory string: OriginalFilename vs IAwpoae00f.exe
Source: IAwpoae00f.exe, 00000000.00000002.2464138913.000001F0316C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs IAwpoae00f.exe
Source: IAwpoae00f.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs IAwpoae00f.exe
Classification labelShow sources
Source: classification engineClassification label: mal84.evad.winEXE@4/2@0/0
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D949A4 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,GetLastError,FormatMessageA,0_2_00007FF790D949A4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D91FF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF790D91FF4
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D9D060 AdjustTokenPrivileges,0_2_00007FF790D9D060
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D96690 LocalAlloc,GetLastError,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA,0_2_00007FF790D96690
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D97A10 FindResourceA,LoadResource,DialogBoxIndirectParamA,FreeResource,0_2_00007FF790D97A10
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: IAwpoae00f.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\'
Sample is known by AntivirusShow sources
Source: IAwpoae00f.exeVirustotal: Detection: 60%
Source: IAwpoae00f.exeReversingLabs: Detection: 74%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\IAwpoae00f.exe 'C:\Users\user\Desktop\IAwpoae00f.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exe
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\'
Source: C:\Users\user\Desktop\IAwpoae00f.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeJump to behavior
PE file has a high image base, often used for DLLsShow sources
Source: IAwpoae00f.exeStatic PE information: Image base 0x140000000 > 0x60000000
PE file contains a mix of data directories often seen in goodwareShow sources
Source: IAwpoae00f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: IAwpoae00f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: IAwpoae00f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: IAwpoae00f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IAwpoae00f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: IAwpoae00f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: IAwpoae00f.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
PE file contains a debug data directoryShow sources
Source: IAwpoae00f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: wextract.pdbH source: IAwpoae00f.exe
Source: Binary string: wextract.pdb source: IAwpoae00f.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D920E8 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF790D920E8
PE file contains an invalid checksumShow sources
Source: IAwpoae00f.exeStatic PE information: real checksum: 0xc81ee should be: 0xcddda
Source: rrrp.exe.0.drStatic PE information: real checksum: 0x0 should be: 0xde3b1
Source: lllp.exe.0.drStatic PE information: real checksum: 0x0 should be: 0xa4b7d
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_004482E0 push 0044836Dh; ret 2_2_00448365
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0041405A push 00414170h; ret 2_2_00414168
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0046C0D0 push 0046C0F6h; ret 2_2_0046C0EE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00414144 push 00414170h; ret 2_2_00414168
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00406138 push 00406164h; ret 2_2_0040615C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_004061C8 push 004061F4h; ret 2_2_004061EC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00448278 push 004482DEh; ret 2_2_004482D6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0040E2FC push 0040E328h; ret 2_2_0040E320
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00464288 push 004642B4h; ret 2_2_004642AC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0041E35A push 0041E407h; ret 2_2_0041E3FF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0041E35C push 0041E407h; ret 2_2_0041E3FF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_004603F8 push 00460454h; ret 2_2_0046044C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042C450 push 0042C493h; ret 2_2_0042C48B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0041E40C push 0041E49Ch; ret 2_2_0041E494
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0041E49E push 0041E764h; ret 2_2_0041E75C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_004604A4 push 004604D0h; ret 2_2_004604C8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042C540 push 0042C578h; ret 2_2_0042C570
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042C508 push 0042C534h; ret 2_2_0042C52C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042A534 push 0042A583h; ret 2_2_0042A57B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042C5D4 push 0042C600h; ret 2_2_0042C5F8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042A5DC push 0042A608h; ret 2_2_0042A600
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042A5A4 push 0042A5D0h; ret 2_2_0042A5C8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_004165BC push ecx; mov dword ptr [esp], edx2_2_004165C1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042A64C push 0042A678h; ret 2_2_0042A670
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00428678 push 004286A4h; ret 2_2_0042869C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042A614 push 0042A640h; ret 2_2_0042A638
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00428638 push 00428664h; ret 2_2_0042865C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042A6F4 push 0042A720h; ret 2_2_0042A718
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042A684 push 0042A6B0h; ret 2_2_0042A6A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042C6A4 push 0042C6D7h; ret 2_2_0042C6CF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0042A6BC push 0042A6E8h; ret 2_2_0042A6E0

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lllp.exeJump to dropped file
Source: C:\Users\user\Desktop\IAwpoae00f.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeJump to dropped file
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D91A74 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00007FF790D91A74

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\Desktop\IAwpoae00f.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\Desktop\IAwpoae00f.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
Source: C:\Users\user\Desktop\IAwpoae00f.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0045B840 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_0045B840
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0045C010 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_0045C010
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_004280F0 IsIconic,GetWindowPlacement,GetWindowRect,2_2_004280F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_004423D4 IsIconic,GetCapture,2_2_004423D4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00458868 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_00458868
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00442C88 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_00442C88
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_004435E4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_004435E4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0045BF60 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_0045BF60
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_00447CB0 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,2_2_00447CB0
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_004375882_2_00437588
Contains functionality to detect sandboxes (mouse cursor move detection)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,2_2_0045ADB0
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lllp.exeJump to dropped file
Found evasive API chain (date check)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_2-33581
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-3355
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeAPI coverage: 4.6 %
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_0046BED8 GetLocalTime followed by cmp: cmp word ptr [0046fc3ch], 07e1h and CTI: jnc 0046C011h2_2_0046BED8
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D9D0F8 FindFirstFileA,0_2_00007FF790D9D0F8
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D923BC FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF790D923BC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: 2_2_004053E4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_004053E4
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D964BC GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,GetLastError,0_2_00007FF790D964BC
Program exit pointsShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeAPI call chain: ExitProcess graph end nodegraph_0-3309

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D920E8 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF790D920E8
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D98870 SetUnhandledExceptionFilter,0_2_00007FF790D98870

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D9173C GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,0_2_00007FF790D9173C
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: IAwpoae00f.exe, 00000000.00000002.2462525061.000001F02FEB0000.00000002.00000001.sdmp, rrrp.exe, 00000002.00000002.2472765160.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: IAwpoae00f.exe, 00000000.00000002.2462525061.000001F02FEB0000.00000002.00000001.sdmp, rrrp.exe, 00000002.00000002.2472765160.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Progman
Source: IAwpoae00f.exe, 00000000.00000002.2462525061.000001F02FEB0000.00000002.00000001.sdmp, rrrp.exe, 00000002.00000002.2472765160.0000000000D00000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: IAwpoae00f.exe, 00000000.00000002.2462525061.000001F02FEB0000.00000002.00000001.sdmp, rrrp.exe, 00000002.00000002.2472765160.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_0040559C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: GetLocaleInfoA,GetACP,2_2_0040C9E4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: GetLocaleInfoA,2_2_0040B3F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: GetLocaleInfoA,2_2_0040B3A4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_004056A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: GetLocaleInfoA,2_2_00405E92
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exeCode function: GetLocaleInfoA,2_2_00405E94
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D98A34 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF790D98A34
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\IAwpoae00f.exeCode function: 0_2_00007FF790D92F54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF790D92F54

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
IAwpoae00f.exe60%VirustotalBrowse
IAwpoae00f.exe74%ReversingLabsWin32.Trojan.Injector
IAwpoae00f.exe100%AviraHEUR/AGEN.1014677
IAwpoae00f.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exe100%AviraHEUR/AGEN.1014677
C:\Users\user\AppData\Local\Temp\IXP000.TMP\lllp.exe100%AviraHEUR/AGEN.1014677
C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\IXP000.TMP\lllp.exe81%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\IXP000.TMP\lllp.exe71%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\IXP000.TMP\lllp.exe86%ReversingLabsWin32.Trojan.Injector
C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exe81%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exe71%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\IXP000.TMP\rrrp.exe83%ReversingLabsWin32.Trojan.Injector

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.IAwpoae00f.exe.7ff790d90000.1.unpack100%AviraHEUR/AGEN.1014677Download File
0.0.IAwpoae00f.exe.7ff790d90000.0.unpack100%AviraHEUR/AGEN.1014677Download File
2.2.rrrp.exe.400000.0.unpack100%AviraHEUR/AGEN.1042789Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.