Loading ...

Play interactive tourEdit tour

Analysis Report SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:220167
Start date:03.04.2020
Start time:19:02:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 54s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@21/4@3/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 52.9% (good quality ratio 17.9%)
  • Quality average: 19.3%
  • Quality standard deviation: 29.9%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 319
  • Number of non-executed functions: 50
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 23.62.125.151, 216.58.207.78, 72.247.178.41, 72.247.178.43, 67.26.137.254, 8.241.121.254, 8.241.122.126, 67.27.234.126, 8.253.204.120, 67.27.235.126, 67.27.157.254, 67.26.81.254, 67.27.158.126, 172.217.22.110, 2.20.143.23, 2.20.143.16, 8.248.147.254, 8.248.123.254, 67.27.233.254, 67.27.157.126, 67.26.83.254, 205.185.216.42, 205.185.216.10
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, docs.google.com, fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, drive.google.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Remcos GuLoader
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Registry Run Keys / Startup Folder11Process Injection312Masquerading1Credential DumpingVirtualization/Sandbox Evasion21Application Deployment SoftwareData from Local SystemData CompressedUncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Port MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion21Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionProcess Injection312Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingScripting11Credentials in FilesSecurity Software Discovery31Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceFile and Directory Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\Sugaryse\benzinforh.exeVirustotal: Detection: 63%Perma Link
Source: C:\Users\user\Sugaryse\benzinforh.exeReversingLabs: Detection: 54%
Multi AV Scanner detection for submitted fileShow sources
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeVirustotal: Detection: 63%Perma Link
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeReversingLabs: Detection: 54%

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49749 -> 23.105.131.161:7279
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 172.217.23.97 172.217.23.97
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.161
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-08-cc-docs.googleusercontent.com
Urls found in memory or binary dataShow sources
Source: benzinforh.exe, 00000008.00000002.1184979176.00000000009D4000.00000004.00000020.sdmpString found in binary or memory: http://crl.gl
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmp, benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmp, benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmp, benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe, 00000002.00000002.827037101.00000000004F0000.00000040.00000001.sdmp, benzinforh.exe, 00000003.00000002.943762089.00000000023B0000.00000040.00000001.sdmp, benzinforh.exe, 00000006.00000002.953264408.00000000006F0000.00000040.00000001.sdmp, benzinforh.exe, 00000008.00000002.1184489878.00000000004F0000.00000040.00000001.sdmp, benzinforh.exe, 00000009.00000002.958535209.0000000002110000.00000040.00000001.sdmp, svchost.exe, 0000000A.00000002.987073826.0000000005BE0000.00000040.00000001.sdmp, benzinforh.exe, 0000000B.00000002.1187460831.00000000004F0000.00000040.00000001.sdmp, benzinforh.exe, 0000000C.00000002.957789791.00000000004F0000.00000040.00000001.sdmp, svchost.exe, 0000000D.00000002.983325002.0000000000AC0000.00000040.00000001.sdmpString found in binary or memory: http://myurl/myfile.bin
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.p
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmp, benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmp, benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.gos
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gn
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmp, benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmp, benzinforh.exe, 0000000B.00000002.1188079721.00000000008DF000.00000004.00000020.sdmpString found in binary or memory: http://www.google.com/support/accounts/answer/151657?hl=en
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmpString found in binary or memory: https://doc-08-cc-docs.googleusercontent.com/
Source: benzinforh.exe, 00000008.00000002.1184979176.00000000009D4000.00000004.00000020.sdmpString found in binary or memory: https://doc-08-cc-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/jhue605e
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmpString found in binary or memory: https://doc-08-cc-docs.googleusercontent.com/o
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: https://doc-0g-5k-docs.googleusercontent.com/
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: https://doc-0g-5k-docs.googleusercontent.com/(
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: https://doc-0g-5k-docs.googleusercontent.com/R
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: https://doc-0g-5k-docs.googleusercontent.com/V
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: https://doc-0g-5k-docs.googleusercontent.com/b
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: https://doc-0g-5k-docs.googleusercontent.com/docs/securesc/o3ah5cb06on6g6nn201rtr5huqq6hq51/57mi2n0f
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/
Source: benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/nonceSigner?nonce=76fovnisgjjdk&continue=https://doc-0g-5k-docs.googleuserco
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/R
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe, 00000002.00000002.827037101.00000000004F0000.00000040.00000001.sdmp, benzinforh.exe, 00000003.00000002.943762089.00000000023B0000.00000040.00000001.sdmp, benzinforh.exe, 00000006.00000002.953264408.00000000006F0000.00000040.00000001.sdmp, benzinforh.exe, 00000008.00000002.1184489878.00000000004F0000.00000040.00000001.sdmp, benzinforh.exe, 00000009.00000002.958535209.0000000002110000.00000040.00000001.sdmp, svchost.exe, 0000000A.00000002.987073826.0000000005BE0000.00000040.00000001.sdmp, benzinforh.exe, 0000000B.00000002.1187460831.00000000004F0000.00000040.00000001.sdmp, benzinforh.exe, 0000000C.00000002.957789791.00000000004F0000.00000040.00000001.sdmp, svchost.exe, 0000000D.00000002.983325002.0000000000AC0000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=17Ukn6_AqHto9_Z7OEVYUQKbL2HBeMMvX
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=17Ukn6_AqHto9_Z7OEVYUQKbL2HBeMMvXes
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmp, benzinforh.exe, 0000000B.00000002.1187997402.00000000008A4000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)Show sources
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeStatic file information: Suspicious name
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe
Abnormal high CPU UsageShow sources
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess Stats: CPU usage > 98%
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F039B EnumWindows,NtSetInformationThread,TerminateProcess,2_2_004F039B
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F8395 NtProtectVirtualMemory,2_2_004F8395
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F052C NtSetInformationThread,TerminateProcess,2_2_004F052C
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F03E4 NtSetInformationThread,TerminateProcess,2_2_004F03E4
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F03F0 NtSetInformationThread,TerminateProcess,2_2_004F03F0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B2E65 NtWriteVirtualMemory,3_2_023B2E65
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B039B EnumWindows,NtSetInformationThread,TerminateProcess,3_2_023B039B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B8395 NtProtectVirtualMemory,3_2_023B8395
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B87E6 NtResumeThread,3_2_023B87E6
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B8C1A NtResumeThread,3_2_023B8C1A
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B3000 NtWriteVirtualMemory,3_2_023B3000
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B8A75 NtResumeThread,3_2_023B8A75
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B3246 NtWriteVirtualMemory,3_2_023B3246
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B9090 NtResumeThread,3_2_023B9090
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B34E2 NtWriteVirtualMemory,3_2_023B34E2
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B2ED0 NtWriteVirtualMemory,3_2_023B2ED0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B88D0 NtResumeThread,3_2_023B88D0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B052C NtSetInformationThread,TerminateProcess,3_2_023B052C
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B310C NtWriteVirtualMemory,3_2_023B310C
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B337D NtWriteVirtualMemory,3_2_023B337D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B8F75 NtResumeThread,3_2_023B8F75
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B8B48 NtResumeThread,3_2_023B8B48
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B2DA0 NtWriteVirtualMemory,3_2_023B2DA0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B03F0 NtSetInformationThread,TerminateProcess,3_2_023B03F0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B87F0 NtResumeThread,3_2_023B87F0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B03E4 NtSetInformationThread,TerminateProcess,3_2_023B03E4
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B8DC4 NtResumeThread,3_2_023B8DC4
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F2E65 NtWriteVirtualMemory,6_2_006F2E65
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F039B EnumWindows,NtSetInformationThread,TerminateProcess,6_2_006F039B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F8395 NtProtectVirtualMemory,6_2_006F8395
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F3246 NtWriteVirtualMemory,6_2_006F3246
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F3000 NtWriteVirtualMemory,6_2_006F3000
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F34E2 NtWriteVirtualMemory,6_2_006F34E2
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F2ED0 NtWriteVirtualMemory,6_2_006F2ED0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F337D NtWriteVirtualMemory,6_2_006F337D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F052C NtSetInformationThread,TerminateProcess,6_2_006F052C
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F310C NtWriteVirtualMemory,6_2_006F310C
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F03E4 NtSetInformationThread,TerminateProcess,6_2_006F03E4
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F03F0 NtSetInformationThread,TerminateProcess,6_2_006F03F0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F2DA0 NtWriteVirtualMemory,6_2_006F2DA0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F2861 CreateThread,TerminateThread,NtProtectVirtualMemory,8_2_004F2861
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F296F LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,8_2_004F296F
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F87E6 NtSetInformationThread,8_2_004F87E6
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F3B9B Sleep,LdrInitializeThunk,NtProtectVirtualMemory,8_2_004F3B9B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F039B EnumWindows,NtSetInformationThread,LdrInitializeThunk,8_2_004F039B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F8395 NtProtectVirtualMemory,8_2_004F8395
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F8A75 NtSetInformationThread,8_2_004F8A75
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F8C1A NtSetInformationThread,8_2_004F8C1A
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F3E10 NtProtectVirtualMemory,8_2_004F3E10
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F3CDC NtProtectVirtualMemory,8_2_004F3CDC
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F3CD6 NtProtectVirtualMemory,8_2_004F3CD6
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F88D0 NtSetInformationThread,8_2_004F88D0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F2898 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,8_2_004F2898
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F9090 NtSetInformationThread,8_2_004F9090
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F8B48 NtSetInformationThread,8_2_004F8B48
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F8F75 NtSetInformationThread,8_2_004F8F75
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F052C NtSetInformationThread,8_2_004F052C
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F8DC4 NtSetInformationThread,8_2_004F8DC4
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F29DE NtProtectVirtualMemory,8_2_004F29DE
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F03E4 NtSetInformationThread,8_2_004F03E4
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F03F0 NtSetInformationThread,8_2_004F03F0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F87F0 NtSetInformationThread,8_2_004F87F0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02112E65 NtWriteVirtualMemory,9_2_02112E65
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02118395 NtProtectVirtualMemory,9_2_02118395
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_0211039B EnumWindows,NtSetInformationThread,TerminateProcess,9_2_0211039B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_021187E6 NtResumeThread,9_2_021187E6
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02118C1A NtResumeThread,9_2_02118C1A
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02113000 NtWriteVirtualMemory,9_2_02113000
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02113246 NtWriteVirtualMemory,9_2_02113246
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02118A75 NtResumeThread,9_2_02118A75
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02119090 NtResumeThread,9_2_02119090
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02112ED0 NtWriteVirtualMemory,9_2_02112ED0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_021188D0 NtResumeThread,9_2_021188D0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_021134E2 NtWriteVirtualMemory,9_2_021134E2
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_0211310C NtWriteVirtualMemory,9_2_0211310C
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_0211052C NtSetInformationThread,TerminateProcess,9_2_0211052C
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02118B48 NtResumeThread,9_2_02118B48
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02118F75 NtResumeThread,9_2_02118F75
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_0211337D NtWriteVirtualMemory,9_2_0211337D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02112DA0 NtWriteVirtualMemory,9_2_02112DA0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02118DC4 NtResumeThread,9_2_02118DC4
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_021103F0 NtSetInformationThread,TerminateProcess,9_2_021103F0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_021187F0 NtResumeThread,9_2_021187F0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_021103E4 NtSetInformationThread,TerminateProcess,9_2_021103E4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE039B EnumWindows,NtSetInformationThread,TerminateProcess,10_2_05BE039B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE8395 NtProtectVirtualMemory,10_2_05BE8395
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE87E6 NtResumeThread,10_2_05BE87E6
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE2E65 NtWriteVirtualMemory,10_2_05BE2E65
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE2DA0 NtWriteVirtualMemory,10_2_05BE2DA0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE03F0 NtSetInformationThread,TerminateProcess,10_2_05BE03F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE87F0 NtResumeThread,10_2_05BE87F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE03E4 NtSetInformationThread,TerminateProcess,10_2_05BE03E4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE8DC4 NtResumeThread,10_2_05BE8DC4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE052C NtSetInformationThread,TerminateProcess,10_2_05BE052C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE310C NtWriteVirtualMemory,10_2_05BE310C
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE337D NtWriteVirtualMemory,10_2_05BE337D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE8F75 NtResumeThread,10_2_05BE8F75
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE8B48 NtResumeThread,10_2_05BE8B48
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE9090 NtResumeThread,10_2_05BE9090
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE34E2 NtWriteVirtualMemory,10_2_05BE34E2
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE2ED0 NtWriteVirtualMemory,10_2_05BE2ED0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE88D0 NtResumeThread,10_2_05BE88D0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE8C1A NtResumeThread,10_2_05BE8C1A
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE3000 NtWriteVirtualMemory,10_2_05BE3000
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE8A75 NtResumeThread,10_2_05BE8A75
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE3246 NtWriteVirtualMemory,10_2_05BE3246
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F2861 CreateThread,TerminateThread,NtProtectVirtualMemory,11_2_004F2861
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F296F RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,11_2_004F296F
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F87E6 NtProtectVirtualMemory,11_2_004F87E6
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F3B9B Sleep,NtProtectVirtualMemory,11_2_004F3B9B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F039B EnumWindows,NtSetInformationThread,11_2_004F039B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F8395 NtProtectVirtualMemory,11_2_004F8395
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F8A75 NtProtectVirtualMemory,11_2_004F8A75
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F8C1A NtProtectVirtualMemory,11_2_004F8C1A
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F3E10 NtProtectVirtualMemory,11_2_004F3E10
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F3CDC NtProtectVirtualMemory,11_2_004F3CDC
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F3CD6 NtProtectVirtualMemory,11_2_004F3CD6
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F88D0 NtProtectVirtualMemory,11_2_004F88D0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F2898 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,11_2_004F2898
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F9090 NtProtectVirtualMemory,11_2_004F9090
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F8B48 NtProtectVirtualMemory,11_2_004F8B48
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F8F75 NtProtectVirtualMemory,11_2_004F8F75
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F052C NtSetInformationThread,11_2_004F052C
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F8DC4 NtProtectVirtualMemory,11_2_004F8DC4
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F29DE NtProtectVirtualMemory,11_2_004F29DE
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F03E4 NtSetInformationThread,11_2_004F03E4
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F03F0 NtSetInformationThread,11_2_004F03F0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F87F0 NtProtectVirtualMemory,11_2_004F87F0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F296F RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,12_2_004F296F
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F87E6 NtSetInformationThread,12_2_004F87E6
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F039B EnumWindows,NtSetInformationThread,12_2_004F039B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F8395 NtProtectVirtualMemory,12_2_004F8395
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F2861 NtProtectVirtualMemory,12_2_004F2861
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F8A75 NtSetInformationThread,12_2_004F8A75
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F8C1A NtSetInformationThread,12_2_004F8C1A
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F3E10 NtProtectVirtualMemory,12_2_004F3E10
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F3CDC NtProtectVirtualMemory,12_2_004F3CDC
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F3CD6 NtProtectVirtualMemory,12_2_004F3CD6
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F88D0 NtSetInformationThread,12_2_004F88D0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F2898 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,12_2_004F2898
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F9090 NtSetInformationThread,12_2_004F9090
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F8B48 NtSetInformationThread,12_2_004F8B48
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F8F75 NtSetInformationThread,12_2_004F8F75
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F052C NtSetInformationThread,12_2_004F052C
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F8DC4 NtSetInformationThread,12_2_004F8DC4
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F29DE NtProtectVirtualMemory,12_2_004F29DE
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F03E4 NtSetInformationThread,12_2_004F03E4
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F03F0 NtSetInformationThread,12_2_004F03F0
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F87F0 NtSetInformationThread,12_2_004F87F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00AC039B EnumWindows,NtSetInformationThread,TerminateProcess,13_2_00AC039B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00AC8395 NtProtectVirtualMemory,13_2_00AC8395
Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00AC03E4 NtSetInformationThread,TerminateProcess,13_2_00AC03E4
Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00AC03F0 NtSetInformationThread,TerminateProcess,13_2_00AC03F0
Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00AC052C NtSetInformationThread,TerminateProcess,13_2_00AC052C
Sample file is different than original file name gathered from version infoShow sources
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe, 00000000.00000002.820923141.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameslaaensdar.exe vs SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe, 00000002.00000002.829220354.0000000002360000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe, 00000002.00000002.829220354.0000000002360000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe, 00000002.00000002.829374402.00000000023D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameslaaensdar.exe vs SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe, 00000002.00000002.837577561.000000001E8F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeBinary or memory string: OriginalFilenameslaaensdar.exe vs SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@21/4@3/2
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeFile created: C:\Users\user\SugaryseJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Sugaryse\benzinforh.exeMutant created: \Sessions\1\BaseNamedObjects\Mutex_RemWatchdog
Source: C:\Users\user\Sugaryse\benzinforh.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-79DIJK
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Sugaryse\benzinforh.vbs'
PE file has an executable .text section and no other executable sectionShow sources
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeVirustotal: Detection: 63%
Source: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeReversingLabs: Detection: 54%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeFile read: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe 'C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe'
Source: unknownProcess created: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe 'C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe'
Source: unknownProcess created: C:\Users\user\Sugaryse\benzinforh.exe 'C:\Users\user\Sugaryse\benzinforh.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Sugaryse\benzinforh.vbs'
Source: unknownProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exe
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Sugaryse\benzinforh.vbs'
Source: unknownProcess created: C:\Users\user\Sugaryse\benzinforh.exe 'C:\Users\user\Sugaryse\benzinforh.exe'
Source: unknownProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exe
Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: unknownProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exe
Source: unknownProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exe
Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess created: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe 'C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe' Jump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe 'C:\Users\user\Sugaryse\benzinforh.exe' Jump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe 'C:\Users\user\Sugaryse\benzinforh.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exeJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exeJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exeJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Binary contains paths to debug symbolsShow sources
Source: Binary string: svchost.pdb source: svchost.exe, 0000000D.00000002.984639527.00000000049B0000.00000004.00000001.sdmp
Source: Binary string: svchost.pdbUGP source: svchost.exe, 0000000D.00000002.984639527.00000000049B0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoaderShow sources
Source: Yara matchFile source: Process Memory Space: benzinforh.exe PID: 5064, type: MEMORY
Source: Yara matchFile source: Process Memory Space: benzinforh.exe PID: 1108, type: MEMORY
Source: Yara matchFile source: Process Memory Space: SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe PID: 3060, type: MEMORY
Source: Yara matchFile source: Process Memory Space: benzinforh.exe PID: 912, type: MEMORY
Source: Yara matchFile source: Process Memory Space: benzinforh.exe PID: 3064, type: MEMORY
Source: Yara matchFile source: Process Memory Space: benzinforh.exe PID: 3060, type: MEMORY
Source: Yara matchFile source: Process Memory Space: benzinforh.exe PID: 3040, type: MEMORY
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 0_2_004013AC push ebx; ret 0_2_004013D4
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 0_2_00409859 push esp; iretd 0_2_0040985B
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 0_2_0040C4DB push esp; iretd 0_2_0040C4F3
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 0_2_0040D9F7 push edi; ret 0_2_0040D9F8
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 0_2_0040C60A push DA6C7522h; iretd 0_2_0040C60F
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 0_2_0040BE29 pushad ; iretd 0_2_0040BE2A
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 0_2_004062D6 push 3EFE4495h; ret 0_2_004062E6
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 0_2_00408341 pushad ; ret 0_2_00408342
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 0_2_00407379 pushfd ; iretd 0_2_00407387
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 0_2_0040631E push 3EFE4594h; ret 0_2_00406326

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeFile created: C:\Users\user\Sugaryse\benzinforh.exeJump to dropped file

Boot Survival:

barindex
Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Gymnasti C:\Users\user\Sugaryse\benzinforh.vbsJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Gymnasti C:\Users\user\Sugaryse\benzinforh.vbsJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce GymnastiJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce GymnastiJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce GymnastiJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce GymnastiJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
Source: C:\Users\user\Sugaryse\benzinforh.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_8-3479
Sleep loop found (likely to delay execution)Show sources
Source: C:\Users\user\Sugaryse\benzinforh.exeThread sleep count: Count: 3871 delay: -5Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Sugaryse\benzinforh.exeWindow / User API: threadDelayed 721Jump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeWindow / User API: threadDelayed 3871Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Sugaryse\benzinforh.exe TID: 3940Thread sleep time: -70000s >= -30000sJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exe TID: 4696Thread sleep count: 721 > 30Jump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exe TID: 4404Thread sleep count: 3871 > 30Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Sugaryse\benzinforh.exeLast function: Thread delayed
Source: C:\Users\user\Sugaryse\benzinforh.exeLast function: Thread delayed
Source: C:\Users\user\Sugaryse\benzinforh.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW(D
Source: benzinforh.exe, 00000008.00000002.1184844527.0000000000970000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to hide a thread from the debuggerShow sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F039B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000002_2_004F039B
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeThread information set: HideFromDebugger
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F413A LdrInitializeThunk,2_2_004F413A
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F3A5D mov eax, dword ptr fs:[00000030h]2_2_004F3A5D
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F261F mov eax, dword ptr fs:[00000030h]2_2_004F261F
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F7628 mov eax, dword ptr fs:[00000030h]2_2_004F7628
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F7B2D mov eax, dword ptr fs:[00000030h]2_2_004F7B2D
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F192B mov eax, dword ptr fs:[00000030h]2_2_004F192B
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeCode function: 2_2_004F6F29 mov eax, dword ptr fs:[00000030h]2_2_004F6F29
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B7628 mov eax, dword ptr fs:[00000030h]3_2_023B7628
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B261F mov eax, dword ptr fs:[00000030h]3_2_023B261F
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B3A5D mov eax, dword ptr fs:[00000030h]3_2_023B3A5D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B192B mov eax, dword ptr fs:[00000030h]3_2_023B192B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B6F29 mov eax, dword ptr fs:[00000030h]3_2_023B6F29
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 3_2_023B7B2D mov eax, dword ptr fs:[00000030h]3_2_023B7B2D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F3A5D mov eax, dword ptr fs:[00000030h]6_2_006F3A5D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F7628 mov eax, dword ptr fs:[00000030h]6_2_006F7628
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F261F mov eax, dword ptr fs:[00000030h]6_2_006F261F
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F7B2D mov eax, dword ptr fs:[00000030h]6_2_006F7B2D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F192B mov eax, dword ptr fs:[00000030h]6_2_006F192B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 6_2_006F6F29 mov eax, dword ptr fs:[00000030h]6_2_006F6F29
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F253C mov eax, dword ptr fs:[00000030h]8_2_004F253C
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F3A5D mov eax, dword ptr fs:[00000030h]8_2_004F3A5D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F7628 mov eax, dword ptr fs:[00000030h]8_2_004F7628
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F7B2D mov eax, dword ptr fs:[00000030h]8_2_004F7B2D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F192B mov eax, dword ptr fs:[00000030h]8_2_004F192B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F6F29 mov eax, dword ptr fs:[00000030h]8_2_004F6F29
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_0211261F mov eax, dword ptr fs:[00000030h]9_2_0211261F
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02117628 mov eax, dword ptr fs:[00000030h]9_2_02117628
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02113A5D mov eax, dword ptr fs:[00000030h]9_2_02113A5D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02116F29 mov eax, dword ptr fs:[00000030h]9_2_02116F29
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_0211192B mov eax, dword ptr fs:[00000030h]9_2_0211192B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 9_2_02117B2D mov eax, dword ptr fs:[00000030h]9_2_02117B2D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE7B2D mov eax, dword ptr fs:[00000030h]10_2_05BE7B2D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE192B mov eax, dword ptr fs:[00000030h]10_2_05BE192B
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE6F29 mov eax, dword ptr fs:[00000030h]10_2_05BE6F29
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE7628 mov eax, dword ptr fs:[00000030h]10_2_05BE7628
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE261F mov eax, dword ptr fs:[00000030h]10_2_05BE261F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_05BE3A5D mov eax, dword ptr fs:[00000030h]10_2_05BE3A5D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F253C mov eax, dword ptr fs:[00000030h]11_2_004F253C
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F3A5D mov eax, dword ptr fs:[00000030h]11_2_004F3A5D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F7628 mov eax, dword ptr fs:[00000030h]11_2_004F7628
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F7B2D mov eax, dword ptr fs:[00000030h]11_2_004F7B2D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F192B mov eax, dword ptr fs:[00000030h]11_2_004F192B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F6F29 mov eax, dword ptr fs:[00000030h]11_2_004F6F29
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F261F mov eax, dword ptr fs:[00000030h]12_2_004F261F
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F3A5D mov eax, dword ptr fs:[00000030h]12_2_004F3A5D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F7628 mov eax, dword ptr fs:[00000030h]12_2_004F7628
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F7B2D mov eax, dword ptr fs:[00000030h]12_2_004F7B2D
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F192B mov eax, dword ptr fs:[00000030h]12_2_004F192B
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F6F29 mov eax, dword ptr fs:[00000030h]12_2_004F6F29
Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00AC7628 mov eax, dword ptr fs:[00000030h]13_2_00AC7628
Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00AC261F mov eax, dword ptr fs:[00000030h]13_2_00AC261F
Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00AC3A5D mov eax, dword ptr fs:[00000030h]13_2_00AC3A5D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00AC7B2D mov eax, dword ptr fs:[00000030h]13_2_00AC7B2D
Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00AC6F29 mov eax, dword ptr fs:[00000030h]13_2_00AC6F29
Source: C:\Windows\SysWOW64\svchost.exeCode function: 13_2_00AC192B mov eax, dword ptr fs:[00000030h]13_2_00AC192B
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F296F LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,8_2_004F296F
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 8_2_004F2898 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,8_2_004F2898
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F296F RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,11_2_004F296F
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 11_2_004F2898 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,11_2_004F2898
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F296F RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,12_2_004F296F
Source: C:\Users\user\Sugaryse\benzinforh.exeCode function: 12_2_004F2898 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,12_2_004F2898

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Sugaryse\benzinforh.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 400000 protect: page execute and read and writeJump to behavior
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Sugaryse\benzinforh.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000 value starts with: 4D5AJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Sugaryse\benzinforh.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000Jump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 401000Jump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 417000Jump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 418000Jump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3030008Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess created: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe 'C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe' Jump to behavior
Source: C:\Users\user\Desktop\SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe 'C:\Users\user\Sugaryse\benzinforh.exe' Jump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe 'C:\Users\user\Sugaryse\benzinforh.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exeJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exeJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
Source: C:\Users\user\Sugaryse\benzinforh.exeProcess created: C:\Users\user\Sugaryse\benzinforh.exe C:\Users\user\Sugaryse\benzinforh.exeJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: benzinforh.exe, 00000008.00000002.1185217006.0000000002320000.00000004.00000040.sdmpBinary or memory string: Program Manager
Source: benzinforh.exe, 00000008.00000002.1185080578.0000000000E00000.00000002.00000001.sdmp, benzinforh.exe, 0000000B.00000002.1188151567.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: benzinforh.exe, 00000008.00000002.1185080578.0000000000E00000.00000002.00000001.sdmp, benzinforh.exe, 0000000B.00000002.1188151567.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: benzinforh.exe, 00000008.00000002.1187285185.000000001F818000.00000004.00000001.sdmpBinary or memory string: [ Program Manager ]
Source: benzinforh.exe, 00000008.00000002.1187285185.000000001F818000.00000004.00000001.sdmpBinary or memory string: art]@L0|cmd|Program Manager|cmd|4118609|cmd|4464796C
Source: benzinforh.exe, 00000008.00000002.1185080578.0000000000E00000.00000002.00000001.sdmp, benzinforh.exe, 0000000B.00000002.1188151567.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: benzinforh.exe, 00000008.00000002.1185080578.0000000000E00000.00000002.00000001.sdmp, benzinforh.exe, 0000000B.00000002.1188151567.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 220167 Sample: SBA_Disaster_Application_Co... Startdate: 03/04/2020 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected GuLoader 2->64 66 Sigma detected: Remcos 2->66 68 3 other signatures 2->68 10 SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe 1 1 2->10         started        13 wscript.exe 2->13         started        15 wscript.exe 2->15         started        process3 signatures4 92 Creates autostart registry keys with suspicious values (likely registry only malware) 10->92 94 Hides threads from debuggers 10->94 96 Contains functionality to hide a thread from the debugger 10->96 17 SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.exe 4 10->17         started        21 benzinforh.exe 1 13->21         started        23 benzinforh.exe 1 15->23         started        process5 file6 44 C:\Users\user\Sugaryse\benzinforh.exe, PE32 17->44 dropped 70 Hides threads from debuggers 17->70 25 benzinforh.exe 1 17->25         started        28 benzinforh.exe 7 17->28         started        31 benzinforh.exe 7 21->31         started        signatures7 process8 dnsIp9 82 Multi AV Scanner detection for dropped file 25->82 84 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 25->84 86 Hides threads from debuggers 25->86 33 benzinforh.exe 4 10 25->33         started        54 googlehosted.l.googleusercontent.com 28->54 56 doc-0g-5k-docs.googleusercontent.com 28->56 58 googlehosted.l.googleusercontent.com 31->58 60 doc-0g-5k-docs.googleusercontent.com 31->60 88 Sleep loop found (likely to delay execution) 31->88 signatures10 process11 dnsIp12 48 googlehosted.l.googleusercontent.com 172.217.23.97, 443, 49748, 49751 unknown United States 33->48 50 23.105.131.161, 49749, 7279 unknown United States 33->50 52 doc-08-cc-docs.googleusercontent.com 33->52 72 Writes to foreign memory regions 33->72 74 Allocates memory in foreign processes 33->74 76 Hides threads from debuggers 33->76 78 Injects a PE file into a foreign processes 33->78 37 svchost.exe