Loading ...

Play interactive tourEdit tour

Analysis Report file1.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:221896
Start date:11.04.2020
Start time:02:06:31
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 52s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:file1.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@58/5@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 65.7% (good quality ratio 60.9%)
  • Quality average: 75.7%
  • Quality standard deviation: 31.5%
HCA Information:
  • Successful, ratio: 85%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Qbot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is a service DLL but no service has been registered
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API31Registry Run Keys / Startup Folder1Exploitation for Privilege Escalation1Software Packing31Hooking1System Time Discovery1Remote File Copy1Data from Local SystemData Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaCommand-Line Interface12Hooking1Hooking1Disabling Security Tools1Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesService Execution2Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1Input CaptureSecurity Software Discovery121Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled Task1Scheduled Task1Access Token Manipulation1Obfuscated Files or Information3Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceModify Existing Service1Process Injection323Masquerading1Account ManipulationSystem Information Discovery35Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceNew Service3Scheduled Task1Valid Accounts1Brute ForceNetwork Share Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionNew Service3Modify Registry1Two-Factor Authentication InterceptionQuery Registry1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionVirtualization/Sandbox Evasion11Bash HistoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessAccess Token Manipulation1Input PromptProcess Discovery3Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationProcess Injection323KeychainApplication Window Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysSystem Owner/User Discovery1Replication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe
Masquerade as Legitimate ApplicationRegsvr32New ServiceBypass User Account ControlIndicator Removal on HostSecurityd MemoryRemote System Discovery1Pass the TicketMan in the BrowserAlternate Network MediumsCustom Command and Control ProtocolDisk Content Wipe
Drive-by CompromiseInstallUtilScheduled TaskWeb ShellDLL Side-LoadingLLMNR/NBT-NS Poisoning and RelaySystem Network Configuration Discovery1Remote File CopyData from Information RepositoriesData EncryptedStandard Non-Application Layer ProtocolService Stop

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: file1.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 36.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 38.2.xnzoowi.exe.8f0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 29.2.xnzoowi.exe.2260000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 2.2.file1.exe.2250000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 39.2.xnzoowi.exe.2270000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 38.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 0.2.file1.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 7.2.file1.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 37.2.xnzoowi.exe.7a0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 6.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 6.2.xnzoowi.exe.680000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 36.2.xnzoowi.exe.7f0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.2.file1.exe.2390000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 6.1.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 10.2.explorer.exe.a40000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 29.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 28.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 2.2.file1.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 3.2.xnzoowi.exe.2290000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 3.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 28.2.xnzoowi.exe.680000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 39.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 37.2.xnzoowi.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 7.2.file1.exe.f50000.1.unpackAvira: Label: TR/Patched.Ren.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3FCD5 strncpy,strncmp,QueryPerformanceFrequency,QueryPerformanceCounter,CryptAcquireContextA,

Spreading:

barindex
Contains functionality to enumerate network sharesShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_1_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Users\user\Desktop\file1.exeCode function: 7_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A4A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 36_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 38_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 39_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D461AD FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then add byte ptr [eax], al

Networking:

barindex
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D428EB HttpQueryInfoA,GetSystemTime,InternetReadFile,GetLastError,
Urls found in memory or binary dataShow sources
Source: explorer.exe, 0000000A.00000002.1187946280.0000000000D30000.00000040.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: explorer.exe, 0000000A.00000002.1187946280.0000000000D30000.00000040.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: file1.exe, 00000000.00000003.782755789.00000000024EA000.00000004.00000040.sdmp, file1.exe, 00000007.00000003.827770537.000000000105A000.00000004.00000040.sdmp, explorer.exeString found in binary or memory: http://www.ip-adress.com
Source: file1.exe, 00000000.00000003.782755789.00000000024EA000.00000004.00000040.sdmp, file1.exe, 00000007.00000003.827770537.000000000105A000.00000004.00000040.sdmp, explorer.exe, 0000000A.00000002.1187946280.0000000000D30000.00000040.00000001.sdmpString found in binary or memory: http://www.ip-adress.com?%04x.%uNULL??YESNO

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_004046CF memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_00404327 NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,memcpy,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Source: C:\Users\user\Desktop\file1.exeCode function: 7_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A41360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A446CF memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A44327 NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,memcpy,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,NtClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 36_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 38_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 39_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00404ED7 GetLastError,EqualSid,memset,memset,CreateProcessAsUserW,CloseHandle,
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00404B41
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_1_00404B41
Source: C:\Users\user\Desktop\file1.exeCode function: 7_2_00404B41
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A44B41
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4A0B0
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3F18F
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D40175
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D40BA5
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4A3AA
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D494E2
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4049A
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4ACA0
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3ED72
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3F677
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D42664
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4EE3F
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4E620
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 36_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 38_2_00404B41
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 39_2_00404B41
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\file1.exe 284674A806BCBE692C76761BAAF21327638DE0C7135BFB06953648BE7D661FBD
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: String function: 00402058 appears 54 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: String function: 004020AD appears 63 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: String function: 00404FF2 appears 36 times
PE file contains strange resourcesShow sources
Source: file1.exe.30.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: file1.exe, 00000007.00000002.893557155.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs file1.exe
Source: file1.exe, 00000007.00000002.893955364.0000000001CD0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs file1.exe
Source: file1.exe, 00000007.00000002.893955364.0000000001CD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs file1.exe
Source: file1.exe.30.drBinary or memory string: OriginalFilenameCALC.EXEj% vs file1.exe
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@58/5@0/1
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00404E29 CreateToolhelp32Snapshot,memset,Process32First,CloseHandle,Process32Next,FindCloseChangeNotification,
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00407422 CoCreateInstance,
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00403EFE FindResourceA,SizeofResource,LoadResource,
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00401071 StartServiceCtrlDispatcherA,
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00401071 StartServiceCtrlDispatcherA,
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_00401071 StartServiceCtrlDispatcherA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_00401071 StartServiceCtrlDispatcherA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_2_00401071 StartServiceCtrlDispatcherA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 6_1_00401071 StartServiceCtrlDispatcherA,
Source: C:\Users\user\Desktop\file1.exeCode function: 7_2_00401071 StartServiceCtrlDispatcherA,
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A41071 StartServiceCtrlDispatcherA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_00401071 StartServiceCtrlDispatcherA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_00401071 StartServiceCtrlDispatcherA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 36_2_00401071 StartServiceCtrlDispatcherA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_00401071 StartServiceCtrlDispatcherA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 38_2_00401071 StartServiceCtrlDispatcherA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 39_2_00401071 StartServiceCtrlDispatcherA,
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\file1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\EeyuqJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4344:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{325DA934-A4BC-4A8F-A255-5F476FAE0ADB}
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:460:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3480:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2412:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4160:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{2E9D1502-75C0-4136-A5B9-1D49E7A8ED2B}
Source: C:\Users\user\Desktop\file1.exeMutant created: \Sessions\1\BaseNamedObjects\luiyzzo
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3496:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4768:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4216:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:932:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3036:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:768:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4076:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{C58BC001-5423-4218-98F4-2D67C786C0DA}
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\~xnzoowi.tmpJump to behavior
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Windows\SysWOW64\explorer.exe
PE file has an executable .text section and no other executable sectionShow sources
Source: file1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\file1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\file1.exeFile read: C:\Users\user\Desktop\file1.exeJump to behavior
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\file1.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\file1.exe 'C:\Users\user\Desktop\file1.exe'
Source: unknownProcess created: C:\Users\user\Desktop\file1.exe C:\Users\user\Desktop\file1.exe /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn erxfgza /tr '\'C:\Users\user\Desktop\file1.exe\' /I erxfgza' /SC ONCE /Z /ST 02:09 /ET 02:21
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: unknownProcess created: C:\Users\user\Desktop\file1.exe C:\Users\user\Desktop\file1.exe /I erxfgza
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Eeyuq' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\file1.exe'
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN erxfgza
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe 'C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe 'C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Users\user\Desktop\file1.exe C:\Users\user\Desktop\file1.exe /C
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn erxfgza /tr '\'C:\Users\user\Desktop\file1.exe\' /I erxfgza' /SC ONCE /Z /ST 02:09 /ET 02:21
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Eeyuq' /d '0'
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\file1.exe'
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN erxfgza
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe /C
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\file1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
PE file has a big code sizeShow sources
Source: file1.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Submission file is bigger than most known malware samplesShow sources
Source: file1.exeStatic file information: File size 2277376 > 1048576
PE file has a big raw sectionShow sources
Source: file1.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x226600
Binary contains paths to debug symbolsShow sources
Source: Binary string: calc.pdbGCTL source: file1.exe.30.dr
Source: Binary string: calc.pdb source: file1.exe.30.dr

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 0.2.file1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 2.2.file1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 3.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 6.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 7.2.file1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 28.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 29.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 36.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 37.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 38.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 39.2.xnzoowi.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 0.2.file1.exe.2390000.1.unpack
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 2.2.file1.exe.2250000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 3.2.xnzoowi.exe.2290000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 6.2.xnzoowi.exe.680000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 28.2.xnzoowi.exe.680000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 29.2.xnzoowi.exe.2260000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 39.2.xnzoowi.exe.2270000.1.unpack
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 0.2.file1.exe.400000.0.unpack
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 2.2.file1.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 3.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 6.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\Desktop\file1.exeUnpacked PE file: 7.2.file1.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 28.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 29.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 36.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 37.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 38.2.xnzoowi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeUnpacked PE file: 39.2.xnzoowi.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00405866 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_023883C0 push edx; ret
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_02388270 push edx; ret
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_009983C0 push edx; ret
Source: C:\Users\user\Desktop\file1.exeCode function: 2_2_00998270 push edx; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_022883C0 push edx; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 3_2_02288270 push edx; ret
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D5B823 push esp; ret
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D53196 push ebx; ret
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D553DD push 0000006Ah; retf
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D553DB push 0000006Ah; retf
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D55373 push 0000006Ah; retf
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D52EE4 push cs; iretd
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D52FE6 push cs; iretd
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_006783C0 push edx; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_0064628A push eax; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_00647367 push 00405BFDh; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 28_2_00644F91 push 00000000h; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_022583C0 push edx; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 29_2_02258270 push edx; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_006B83C0 push edx; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_0068628A push eax; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_00687367 push 00405BFDh; ret
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: 37_2_00684F91 push 00000000h; ret

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: reg.exe
Drops PE filesShow sources
Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\file1.exeJump to dropped file
Source: C:\Users\user\Desktop\file1.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn erxfgza /tr '\'C:\Users\user\Desktop\file1.exe\' /I erxfgza' /SC ONCE /Z /ST 02:09 /ET 02:21
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00401071 StartServiceCtrlDispatcherA,
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ouoaujJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ouoaujJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeMemory written: PID: 5076 base: E9F2F0 value: E9 BD 22 BA FF
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file1.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Users\user\Desktop\file1.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Users\user\Desktop\file1.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,
Contains functionality to detect virtual machines (IN, VMware)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_0040341D in eax, dx
Uses ping.exe to sleepShow sources
Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00403A82 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32First,StrStrIA,Module32Next,CloseHandle,
Contains functionality to read device registry values (via SetupAPI)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_004034AF SetupDiGetDeviceRegistryPropertyA,GetLastError,
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 807
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\cmd.exeDropped PE file which has not been started: C:\Users\user\Desktop\file1.exeJump to dropped file
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\file1.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\file1.exeEvasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeEvasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\file1.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\file1.exe TID: 3456Thread sleep count: 72 > 30
Source: C:\Users\user\Desktop\file1.exe TID: 3056Thread sleep count: 73 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 896Thread sleep count: 72 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 2656Thread sleep count: 73 > 30
Source: C:\Users\user\Desktop\file1.exe TID: 2372Thread sleep count: 73 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 4384Thread sleep time: -24210000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 4384Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 4236Thread sleep count: 74 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 4000Thread sleep count: 75 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 4692Thread sleep count: 71 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 4308Thread sleep count: 72 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 2276Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exe TID: 3720Thread sleep count: 71 > 30
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D461AD FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_004054A4 memset,GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,GetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: reg.exe, 00000008.00000002.826914196.000001CFFDD40000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.831942342.0000011D7CD10000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.837319895.000002469F6E0000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.842017852.000001FE616A0000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.848502146.00000215FF5A0000.00000002.00000001.sdmp, reg.exe, 00000014.00000002.852911201.00000222EC820000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.855939314.0000024DD2390000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.864206311.000001C2DBB90000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.870147621.00000229CFDF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000A.00000002.1187274112.0000000000042000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: reg.exe, 00000008.00000002.826914196.000001CFFDD40000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.831942342.0000011D7CD10000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.837319895.000002469F6E0000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.842017852.000001FE616A0000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.848502146.00000215FF5A0000.00000002.00000001.sdmp, reg.exe, 00000014.00000002.852911201.00000222EC820000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.855939314.0000024DD2390000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.864206311.000001C2DBB90000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.870147621.00000229CFDF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 00000008.00000002.826914196.000001CFFDD40000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.831942342.0000011D7CD10000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.837319895.000002469F6E0000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.842017852.000001FE616A0000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.848502146.00000215FF5A0000.00000002.00000001.sdmp, reg.exe, 00000014.00000002.852911201.00000222EC820000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.855939314.0000024DD2390000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.864206311.000001C2DBB90000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.870147621.00000229CFDF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: reg.exe, 00000008.00000002.826914196.000001CFFDD40000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.831942342.0000011D7CD10000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.837319895.000002469F6E0000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.842017852.000001FE616A0000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.848502146.00000215FF5A0000.00000002.00000001.sdmp, reg.exe, 00000014.00000002.852911201.00000222EC820000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.855939314.0000024DD2390000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.864206311.000001C2DBB90000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.870147621.00000229CFDF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Windows\SysWOW64\explorer.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\file1.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A454A4 memset,GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,GetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,LdrInitializeThunk,
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00403A82 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Module32First,StrStrIA,Module32Next,CloseHandle,
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00405866 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3EA97 GetProcessHeap,HeapFree,
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\file1.exeMemory protected: page execute read | page execute and read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeMemory written: PID: 5076 base: E9F2F0 value: E9
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
Writes to foreign memory regionsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: E9F2F0
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: OpenProcessToken,CloseHandle,FindCloseChangeNotification, C:\Windows\SysWOW64\explorer.exe
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00401A26 EntryPoint,GetCommandLineW,CommandLineToArgvW,HeapCreate,GetModuleHandleA,lstrcmpiW,CoInitializeEx,GetForegroundWindow,ShellExecuteW,Sleep,CopyFileW,ExitProcess,
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Eeyuq\xnzoowi.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\file1.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\file1.exe'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00407A4E AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,LocalFree,LocalFree,FreeSid,FreeSid,
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00407A4E AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,LocalFree,LocalFree,FreeSid,FreeSid,
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 0000000A.00000002.1189195880.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000002.1189195880.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 0000000A.00000002.1189195880.00000000034E0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: explorer.exe, 0000000A.00000002.1189195880.00000000034E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_004032F1 cpuid
Queries device information via Setup APIShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_004034AF SetupDiGetDeviceRegistryPropertyA,GetLastError,
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\file1.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file1.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file1.exeQueries volume information: C:\ VolumeInformation
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D35131 CreateNamedPipeA,
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_00408E35 memset,GetLocalTime,memset,GetLocalTime,lstrcpynW,lstrcatW,DeleteFileW,
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_0040A1BF NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\file1.exeCode function: 0_2_004054A4 memset,GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,GetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected QbotShow sources
Source: Yara matchFile source: 00000007.00000002.891313706.00000000008F0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: file1.exe PID: 2344, type: MEMORY

Remote Access Functionality:

barindex
Yara detected QbotShow sources
Source: Yara matchFile source: 00000007.00000002.891313706.00000000008F0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: file1.exe PID: 2344, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D3A96E socket,memset,inet_addr,GetBestRoute,GetIpAddrTable,GetIpAddrTable,memset,setsockopt,setsockopt,bind,closesocket,LdrInitializeThunk,memset,getaddrinfo,sendto,freeaddrinfo,memcmp,memcmp,memcmp,memcpy,memcpy,closesocket,
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00D4237D socket,ioctlsocket,WSAGetLastError,htons,setsockopt,bind,listen,closesocket,

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 221896 Sample: file1.exe Startdate: 11/04/2020 Architecture: WINDOWS Score: 100 68 Sigma detected: QBot Process Creation 2->68 70 Yara detected Qbot 2->70 72 Uses ping.exe to sleep 2->72 74 3 other signatures 2->74 8 file1.exe 4 2->8         started        12 file1.exe 2 2->12         started        14 xnzoowi.exe 2->14         started        16 xnzoowi.exe 2->16         started        process3 file4 60 C:\Users\user\AppData\Roaming\...\xnzoowi.exe, PE32 8->60 dropped 62 C:\Users\user\...\xnzoowi.exe:Zone.Identifier, ASCII 8->62 dropped 88 Detected unpacking (changes PE section rights) 8->88 90 Detected unpacking (creates a PE file in dynamic memory) 8->90 92 Detected unpacking (overwrites its own PE header) 8->92 96 2 other signatures 8->96 18 xnzoowi.exe 8->18         started        21 schtasks.exe 1 8->21         started        23 file1.exe 8->23         started        94 Uses cmd line tools excessively to alter registry or file data 12->94 25 cmd.exe 12->25         started        29 xnzoowi.exe 12->29         started        31 reg.exe 1 1 12->31         started        37 9 other processes 12->37 33 xnzoowi.exe 14->33         started        35 xnzoowi.exe 16->35         started        signatures5 process6 dnsIp7 76 Detected unpacking (changes PE section rights) 18->76 78 Detected unpacking (creates a PE file in dynamic memory) 18->78 80 Detected unpacking (overwrites its own PE header) 18->80 84 6 other signatures 18->84 39 explorer.exe 1 1 18->39         started        42 xnzoowi.exe