Loading ...

Play interactive tourEdit tour

Analysis Report file1.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:221896
Start date:11.04.2020
Start time:02:06:31
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:file1.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@58/5@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 65.7% (good quality ratio 60.9%)
  • Quality average: 75.7%
  • Quality standard deviation: 31.5%
HCA Information:
  • Successful, ratio: 85%
  • Number of executed functions: 201
  • Number of non-executed functions: 327
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Qbot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is a service DLL but no service has been registered
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API31Registry Run Keys / Startup Folder1Exploitation for Privilege Escalation1Software Packing31Hooking1System Time Discovery1Remote File Copy1Data from Local SystemData Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaCommand-Line Interface12Hooking1Hooking1Disabling Security Tools1Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesService Execution2Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1Input CaptureSecurity Software Discovery121Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled Task1Scheduled Task1Access Token Manipulation1Obfuscated Files or Information3Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceModify Existing Service1Process Injection323Masquerading1Account ManipulationSystem Information Discovery35Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceNew Service3Scheduled Task1Valid Accounts1Brute ForceNetwork Share Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionNew Service3Modify Registry1Two-Factor Authentication InterceptionQuery Registry1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionVirtualization/Sandbox Evasion11Bash HistoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessAccess Token Manipulation1Input PromptProcess Discovery3Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationProcess Injection323KeychainApplication Window Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysSystem Owner/User Discovery1Replication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe
Masquerade as Legitimate ApplicationRegsvr32New ServiceBypass User Account ControlIndicator Removal on HostSecurityd MemoryRemote System Discovery1Pass the TicketMan in the BrowserAlternate Network MediumsCustom Command and Control ProtocolDisk Content Wipe
Drive-by CompromiseInstallUtilScheduled TaskWeb ShellDLL Side-LoadingLLMNR/NBT-NS Poisoning and RelaySystem Network Configuration Discovery1Remote File CopyData from Information RepositoriesData EncryptedStandard Non-Application Layer ProtocolService Stop

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: file1.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 36.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 38.2.xnzoowi.exe.8f0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 29.2.xnzoowi.exe.2260000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 2.2.file1.exe.2250000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 39.2.xnzoowi.exe.2270000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 38.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 0.2.file1.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 7.2.file1.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 37.2.xnzoowi.exe.7a0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 6.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 6.2.xnzoowi.exe.680000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 36.2.xnzoowi.exe.7f0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.2.file1.exe.2390000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 6.1.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 10.2.explorer.exe.a40000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 29.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 28.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 2.2.file1.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 3.2.xnzoowi.exe.2290000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 3.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 28.2.xnzoowi.exe.680000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 39.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 37.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 7.2.file1.exe.f50000.1.unpackAvira: Label: TR/Patched.Ren.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3FCD5 strncpy,strncmp,QueryPerformanceFrequency,QueryPerformanceCounter,CryptAcquireContextA,10_2_00D3FCD5

Spreading:

barindex
Contains functionality to enumerate network sharesShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,0_2_0040A1BF
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,2_2_0040A1BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,3_2_0040A1BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,6_2_0040A1BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_1_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,6_1_0040A1BF
Source: C:\Users\user\Desktop\file1.exeCode function: 7_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,7_2_0040A1BF
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A4A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,10_2_00A4A1BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,28_2_0040A1BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,29_2_0040A1BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 36_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,36_2_0040A1BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,37_2_0040A1BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 38_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,38_2_0040A1BF
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 39_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,39_2_0040A1BF
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D461AD FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,10_2_00D461AD

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then add byte ptr [eax], al10_2_00D5B061

Networking:

barindex
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D428EB HttpQueryInfoA,GetSystemTime,InternetReadFile,GetLastError,10_2_00D428EB
Urls found in memory or binary dataShow sources
Source: explorer.exe, 0000000A.00000002.1187946280.0000000000D30000.00000040.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: explorer.exe, 0000000A.00000002.1187946280.0000000000D30000.00000040.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: file1.exe, 00000000.00000003.782755789.00000000024EA000.00000004.00000040.sdmp, file1.exe, 00000007.00000003.827770537.000000000105A000.00000004.00000040.sdmp, explorer.exeString found in binary or memory: http://www.ip-adress.com
Source: file1.exe, 00000000.00000003.782755789.00000000024EA000.00000004.00000040.sdmp, file1.exe, 00000007.00000003.827770537.000000000105A000.00000004.00000040.sdmp, explorer.exe, 0000000A.00000002.1187946280.0000000000D30000.00000040.00000001.sdmpString found in binary or memory: http://www.ip-adress.com?%04x.%uNULL??YESNO

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,0_2_00401360
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,2_2_00401360
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_004046CF memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,3_2_004046CF
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_00404327 NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,memcpy,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,NtClose,3_2_00404327
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,3_2_00401360
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,6_2_00401360
Source: C:\Users\user\Desktop\file1.exeCode function: 7_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,7_2_00401360
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A41360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,10_2_00A41360
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A446CF memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,10_2_00A446CF
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A44327 NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,memcpy,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,NtClose,10_2_00A44327
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,28_2_00401360
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,29_2_00401360
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 36_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,36_2_00401360
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,37_2_00401360
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 38_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,38_2_00401360
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 39_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,39_2_00401360
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00404ED7 GetLastError,EqualSid,memset,memset,CreateProcessAsUserW,CloseHandle,0_2_00404ED7
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00404B410_2_00404B41
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_00404B412_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_00404B413_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_2_00404B416_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_1_00404B416_1_00404B41
Source: C:\Users\user\Desktop\file1.exeCode function: 7_2_00404B417_2_00404B41
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A44B4110_2_00A44B41
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4A0B010_2_00D4A0B0
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3F18F10_2_00D3F18F
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4017510_2_00D40175
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D40BA510_2_00D40BA5
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4A3AA10_2_00D4A3AA
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D494E210_2_00D494E2
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4049A10_2_00D4049A
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4ACA010_2_00D4ACA0
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3ED7210_2_00D3ED72
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3F67710_2_00D3F677
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4266410_2_00D42664
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4EE3F10_2_00D4EE3F
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4E62010_2_00D4E620
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_00404B4128_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_00404B4129_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 36_2_00404B4136_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_00404B4137_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 38_2_00404B4138_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 39_2_00404B4139_2_00404B41
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\file1.exe 284674A806BCBE692C76761BAAF21327638DE0C7135BFB06953648BE7D661FBD
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: String function: 00402058 appears 54 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: String function: 004020AD appears 63 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: String function: 00404FF2 appears 36 times
PE file contains strange resourcesShow sources
Source: file1.exe.30.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: file1.exe, 00000007.00000002.893557155.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs file1.exe
Source: file1.exe, 00000007.00000002.893955364.0000000001CD0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs file1.exe
Source: file1.exe, 00000007.00000002.893955364.0000000001CD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs file1.exe
Source: file1.exe.30.drBinary or memory string: OriginalFilenameCALC.EXEj% vs file1.exe
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@58/5@0/1
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00404E29 CreateToolhelp32Snapshot,memset,Process32First,CloseHandle,Process32Next,FindCloseChangeNotification,0_2_00404E29
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00407422 CoCreateInstance,0_2_00407422
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00403EFE FindResourceA,SizeofResource,LoadResource,0_2_00403EFE
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00401071 StartServiceCtrlDispatcherA,0_2_00401071
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00401071 StartServiceCtrlDispatcherA,0_2_00401071
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_00401071 StartServiceCtrlDispatcherA,2_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_00401071 StartServiceCtrlDispatcherA,3_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_2_00401071 StartServiceCtrlDispatcherA,6_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_1_00401071 StartServiceCtrlDispatcherA,6_1_00401071
Source: C:\Users\user\Desktop\file1.exeCode function: 7_2_00401071 StartServiceCtrlDispatcherA,7_2_00401071
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A41071 StartServiceCtrlDispatcherA,10_2_00A41071
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_00401071 StartServiceCtrlDispatcherA,28_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_00401071 StartServiceCtrlDispatcherA,29_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 36_2_00401071 StartServiceCtrlDispatcherA,36_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_00401071 StartServiceCtrlDispatcherA,37_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 38_2_00401071 StartServiceCtrlDispatcherA,38_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 39_2_00401071 StartServiceCtrlDispatcherA,39_2_00401071
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\file1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\EeyuqJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4344:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{325DA934-A4BC-4A8F-A255-5F476FAE0ADB}
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:460:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3480:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2412:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4160:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{2E9D1502-75C0-4136-A5B9-1D49E7A8ED2B}
Source: C:\Users\user\Desktop\file1.exeMutant created: \Sessions\1\BaseNamedObjects\luiyzzo
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3496:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4768:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4216:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:932:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3036:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:768:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4076:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{C58BC001-5423-4218-98F4-2D67C786C0DA}
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\~xnzoowi.tmpJump to behavior
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: file1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\file1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\file1.exeFile read: C:\Users\user\Desktop\file1.exeJump to behavior
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\file1.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-4568
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\file1.exe 'C:\Users\user\Desktop\file1.exe'
Source: unknownProcess created: C:\Users\user\Desktop\file1.exe C:\Users\user\Desktop\file1.exe /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn erxfgza /tr '\'C:\Users\user\Desktop\file1.exe\' /I erxfgza' /SC ONCE /Z /ST 02:09 /ET 02:21
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: unknownProcess created: C:\Users\user\Desktop\file1.exe C:\Users\user\Desktop\file1.exe /I erxfgza
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Eeyuq' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\file1.exe'
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN erxfgza
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe 'C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe 'C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Users\user\Desktop\file1.exe C:\Users\user\Desktop\file1.exe /CJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn erxfgza /tr '\'C:\Users\user\Desktop\file1.exe\' /I erxfgza' /SC ONCE /Z /ST 02:09 /ET 02:21Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /CJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'Jump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'Jump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'Jump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'Jump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'Jump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'Jump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'Jump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'Jump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Eeyuq' /d '0'Jump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\file1.exe'Jump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN erxfgzaJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /CJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\file1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
PE file has a big code sizeShow sources
Source: file1.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Submission file is bigger than most known malware samplesShow sources
Source: file1.exeStatic file information: File size 2277376 > 1048576
PE file has a big raw sectionShow sources
Source: file1.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x226600
Binary contains paths to debug symbolsShow sources
Source: Binary string: calc.pdbGCTL source: file1.exe.30.dr
Source: Binary string: calc.pdb source: file1.exe.30.dr

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 0.2.file1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 2.2.file1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 3.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 6.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 7.2.file1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 28.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 29.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 36.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 37.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 38.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 39.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 0.2.file1.exe.2390000.1.unpack
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 2.2.file1.exe.2250000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 3.2.xnzoowi.exe.2290000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 6.2.xnzoowi.exe.680000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 28.2.xnzoowi.exe.680000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 29.2.xnzoowi.exe.2260000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 39.2.xnzoowi.exe.2270000.1.unpack
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 0.2.file1.exe.400000.0.unpack
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 2.2.file1.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 3.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 6.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 7.2.file1.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 28.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 29.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 36.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 37.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 38.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 39.2.xnzoowi.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00405866 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_00405866
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_023883C0 push edx; ret 0_2_0238854E
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_02388270 push edx; ret 0_2_0238827B
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_009983C0 push edx; ret 2_2_0099854E
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_00998270 push edx; ret 2_2_0099827B
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_022883C0 push edx; ret 3_2_0228854E
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_02288270 push edx; ret 3_2_0228827B
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D5B823 push esp; ret 10_2_00D5B824
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D53196 push ebx; ret 10_2_00D53197
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D553DD push 0000006Ah; retf 10_2_00D5544C
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D553DB push 0000006Ah; retf 10_2_00D5544C
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D55373 push 0000006Ah; retf 10_2_00D5544C
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D52EE4 push cs; iretd 10_2_00D52FBA
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D52FE6 push cs; iretd 10_2_00D52FBA
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_006783C0 push edx; ret 28_2_0067854E
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_0064628A push eax; ret 28_2_006462C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_00647367 push 00405BFDh; ret 28_2_00647338
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_00644F91 push 00000000h; ret 28_2_00644FB8
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_022583C0 push edx; ret 29_2_0225854E
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_02258270 push edx; ret 29_2_0225827B
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_006B83C0 push edx; ret 37_2_006B854E
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_0068628A push eax; ret 37_2_006862C4
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_00687367 push 00405BFDh; ret 37_2_00687338
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_00684F91 push 00000000h; ret 37_2_00684FB8

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exeJump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\file1.exeJump to dropped file
Source: C:\Users\user\Desktop\file1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn erxfgza /tr '\'C:\Users\user\Desktop\file1.exe\' /I erxfgza' /SC ONCE /Z /ST 02:09 /ET 02:21
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00401071 StartServiceCtrlDispatcherA,0_2_00401071
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ouoaujJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ouoaujJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeMemory written: PID: 5076 base: E9F2F0 value: E9 BD 22 BA FF Jump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,0_2_00403BC5
Source: C:\Users\user\Desktop\file1.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,2_2_00403BC5
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,3_2_00403BC5
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,6_2_00403BC5
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,6_1_00403BC5
Source: C:\Users\user\Desktop\file1.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,7_2_00403BC5
Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,10_2_00A43BC5
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,28_2_00403BC5
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,29_2_00403BC5
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,36_2_00403BC5
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,37_2_00403BC5
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,38_2_00403BC5
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,39_2_00403BC5
Contains functionality to detect virtual machines (IN, VMware)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_0040341D in eax, dx0_2_0040341D
Uses ping.exe to sleepShow sources
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00403A82 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32First,StrStrIA,Module32Next,CloseHandle,0_2_00403A82
Contains functionality to read device registry values (via SetupAPI)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_004034AF SetupDiGetDeviceRegistryPropertyA,GetLastError,0_2_004034AF
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 807Jump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\cmd.exeDropped PE file which has not been started: C:\Users\user\Desktop\file1.exeJump to dropped file
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\file1.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\file1.exeEvasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeEvasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\file1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-5115
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\file1.exe TID: 3456Thread sleep count: 72 > 30Jump to behavior
Source: C:\Users\user\Desktop\file1.exe TID: 3056Thread sleep count: 73 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 896Thread sleep count: 72 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 2656Thread sleep count: 73 > 30Jump to behavior
Source: C:\Users\user\Desktop\file1.exe TID: 2372Thread sleep count: 73 > 30Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 4384Thread sleep time: -24210000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 4384Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 4236Thread sleep count: 74 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 4000Thread sleep count: 75 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 4692Thread sleep count: 71 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 4308Thread sleep count: 72 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 2276Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 3720Thread sleep count: 71 > 30
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D461AD FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,10_2_00D461AD
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_004054A4 memset,GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,GetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,0_2_004054A4
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: reg.exe, 00000008.00000002.826914196.000001CFFDD40000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.831942342.0000011D7CD10000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.837319895.000002469F6E0000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.842017852.000001FE616A0000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.848502146.00000215FF5A0000.00000002.00000001.sdmp, reg.exe, 00000014.00000002.852911201.00000222EC820000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.855939314.0000024DD2390000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.864206311.000001C2DBB90000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.870147621.00000229CFDF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000A.00000002.1187274112.0000000000042000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: reg.exe, 00000008.00000002.826914196.000001CFFDD40000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.831942342.0000011D7CD10000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.837319895.000002469F6E0000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.842017852.000001FE616A0000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.848502146.00000215FF5A0000.00000002.00000001.sdmp, reg.exe, 00000014.00000002.852911201.00000222EC820000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.855939314.0000024DD2390000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.864206311.000001C2DBB90000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.870147621.00000229CFDF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 00000008.00000002.826914196.000001CFFDD40000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.831942342.0000011D7CD10000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.837319895.000002469F6E0000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.842017852.000001FE616A0000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.848502146.00000215FF5A0000.00000002.00000001.sdmp, reg.exe, 00000014.00000002.852911201.00000222EC820000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.855939314.0000024DD2390000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.864206311.000001C2DBB90000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.870147621.00000229CFDF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: reg.exe, 00000008.00000002.826914196.000001CFFDD40000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.831942342.0000011D7CD10000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.837319895.000002469F6E0000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.842017852.000001FE616A0000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.848502146.00000215FF5A0000.00000002.00000001.sdmp, reg.exe, 00000014.00000002.852911201.00000222EC820000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.855939314.0000024DD2390000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.864206311.000001C2DBB90000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.870147621.00000229CFDF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Windows\SysWOW64\explorer.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\file1.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A454A4 memset,GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,GetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,LdrInitializeThunk,10_2_00A454A4
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00403A82 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32First,StrStrIA,Module32Next,CloseHandle,0_2_00403A82
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00405866 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_00405866
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3EA97 GetProcessHeap,HeapFree,10_2_00D3EA97
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\file1.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeMemory written: PID: 5076 base: E9F2F0 value: E9Jump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: E9F2F0Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: OpenProcessToken,CloseHandle,FindCloseChangeNotification, C:\Windows\SysWOW64\explorer.exe10_2_00D47305
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00401A26 EntryPoint,GetCommandLineW,CommandLineToArgvW,HeapCreate,GetModuleHandleA,lstrcmpiW,CoInitializeEx,GetForegroundWindow,ShellExecuteW,Sleep,CopyFileW,ExitProcess,0_2_00401A26
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\file1.exe'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00407A4E AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,LocalFree,LocalFree,FreeSid,FreeSid,0_2_00407A4E
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00407A4E AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,LocalFree,LocalFree,FreeSid,FreeSid,0_2_00407A4E
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 0000000A.00000002.1189195880.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000002.1189195880.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 0000000A.00000002.1189195880.00000000034E0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: explorer.exe, 0000000A.00000002.1189195880.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_004032F1 cpuid 0_2_004032F1
Queries device information via Setup APIShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_004034AF SetupDiGetDeviceRegistryPropertyA,GetLastError,0_2_004034AF
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\file1.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file1.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file1.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D35131 CreateNamedPipeA,10_2_00D35131
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00408E35 memset,GetLocalTime,memset,GetLocalTime,lstrcpynW,lstrcatW,DeleteFileW,0_2_00408E35
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,0_2_0040A1BF
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_004054A4 memset,GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,GetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,0_2_004054A4
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected QbotShow sources
Source: Yara matchFile source: 00000007.00000002.891313706.00000000008F0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: file1.exe PID: 2344, type: MEMORY

Remote Access Functionality:

barindex
Yara detected QbotShow sources
Source: Yara matchFile source: 00000007.00000002.891313706.00000000008F0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: file1.exe PID: 2344, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3A96E socket,memset,inet_addr,GetBestRoute,GetIpAddrTable,GetIpAddrTable,memset,setsockopt,setsockopt,bind,closesocket,LdrInitializeThunk,memset,getaddrinfo,sendto,freeaddrinfo,memcmp,memcmp,memcmp,memcpy,memcpy,closesocket,10_2_00D3A96E
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4237D socket,ioctlsocket,WSAGetLastError,htons,setsockopt,bind,listen,closesocket,10_2_00D4237D

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 221896 Sample: file1.exe Startdate: 11/04/2020 Architecture: WINDOWS Score: 100 68 Sigma detected: QBot Process Creation 2->68 70 Yara detected Qbot 2->70 72 Uses ping.exe to sleep 2->72 74 3 other signatures 2->74 8 file1.exe 4 2->8         started        12 file1.exe 2 2->12         started        14 xnzoowi.exe 2->14         started        16 xnzoowi.exe 2->16         started        process3 file4 60 C:\Users\user\AppData\Roaming\...\xnzoowi.exe, PE32 8->60 dropped 62 C:\Users\user\...\xnzoowi.exe:Zone.Identifier, ASCII 8->62 dropped 88 Detected unpacking (changes PE section rights) 8->88 90 Detected unpacking (creates a PE file in dynamic memory) 8->90 92 Detected unpacking (overwrites its own PE header) 8->92 96 2 other signatures 8->96 18 xnzoowi.exe 8->18         started        21 schtasks.exe 1 8->21         started        23 file1.exe 8->23         started        94 Uses cmd line tools excessively to alter registry or file data 12->94 25 cmd.exe 12->25         started        29 xnzoowi.exe 12->29         started        31 reg.exe