Loading ...

Play interactive tourEdit tour

Analysis Report sSwGUuStAT

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:225220
Start date:24.04.2020
Start time:19:32:35
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 31s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:sSwGUuStAT (renamed file extension from none to msi)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal88.adwa.evad.winMSI@11/6@1/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 86.7%)
  • Quality average: 66.7%
  • Quality standard deviation: 33.2%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 35
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe
  • Excluded IPs from analysis (whitelisted): 216.58.215.238, 8.248.135.254, 8.253.204.121, 67.27.157.254, 8.253.204.120, 8.248.113.254, 72.247.224.69
  • Excluded domains from analysis (whitelisted): docs.google.com, fs.microsoft.com, sites.google.com, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold880 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Windows Management Instrumentation11Bootkit2Startup Items1Disabling Security Tools1Credential DumpingSystem Time Discovery1Replication Through Removable Media1Data from Local SystemData Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Startup Items1Process Injection11Masquerading11Network SniffingPeripheral Device Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Registry Run Keys / Startup Folder12Path InterceptionVirtualization/Sandbox Evasion15Input CaptureSecurity Software Discovery341Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseLSASS Driver1LSASS Driver1DLL Search Order HijackingProcess Injection11Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessNTFS File Attributes1Account ManipulationSystem Information Discovery35Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceQuery Registry1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionVirtualization/Sandbox Evasion15Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryProcess Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive2Avira: detection malicious, Label: HEUR/AGEN.1040415
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive2Virustotal: Detection: 30%Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive2ReversingLabs: Detection: 64%
Multi AV Scanner detection for submitted fileShow sources
Source: sSwGUuStAT.msiVirustotal: Detection: 31%Perma Link
Source: sSwGUuStAT.msiReversingLabs: Detection: 38%

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_059031B0 GetModuleFileNameA,_strrchr,LdrInitializeThunk,GetWindowsDirectoryA,GetSystemDirectoryA,GetTempPathA,GetSystemTimeAsFileTime,FindFirstFileA,FileTimeToSystemTime,CompareFileTime,CompareFileTime,FindNextFileA,FindClose,2_2_059031B0
Enumerates the file systemShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: a5ae9877-a-62cb3a1a-s-sites.googlegroups.com
Urls found in memory or binary dataShow sources
Source: jXsxjxqw.exe, 00000002.00000003.1150676512.0000000005616000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1259669633.0000000005606000.00000004.00000001.sdmpString found in binary or memory: http://23.82.140.93/outletbrasil.com.br/novidades/acessorios/aviso1/index.php
Source: jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmpString found in binary or memory: http://crl.glG
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gs
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: jXsxjxqw.exe, jXsxjxqw.exe, 00000007.00000002.1286020675.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://digitalriver.com/DigitalRight/activateLicense
Source: jXsxjxqw.exe, jXsxjxqw.exe, 00000007.00000002.1286020675.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://digitalriver.com/DigitalRight/generateKey
Source: jXsxjxqw.exe, jXsxjxqw.exe, 00000007.00000002.1286020675.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://digitalriver.com/DigitalRight/validateLicense
Source: jXsxjxqw.exe, 00000002.00000002.1179618573.0000000005980000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000002.1179962154.0000000005AF0000.00000004.00000040.sdmp, jXsxjxqw.exe, 00000007.00000002.1286369441.0000000005A20000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000002.1284480483.0000000005780000.00000004.00000040.sdmpString found in binary or memory: http://drh.digitalriver.com/cs
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gX
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0/
Source: sSwGUuStAT.msiString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: sSwGUuStAT.msiString found in binary or memory: http://s.symcd.com06
Source: jXsxjxqw.exe, 00000007.00000002.1286020675.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: jXsxjxqw.exe, jXsxjxqw.exe, 00000007.00000002.1286020675.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: sSwGUuStAT.msiString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: sSwGUuStAT.msiString found in binary or memory: http://t2.symcb.com0
Source: sSwGUuStAT.msiString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: sSwGUuStAT.msiString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: sSwGUuStAT.msiString found in binary or memory: http://tl.symcd.com0&
Source: sSwGUuStAT.msiString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: sSwGUuStAT.msiString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: sSwGUuStAT.msiString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: jXsxjxqw.exe, jXsxjxqw.exe, 00000007.00000002.1286020675.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://webservice.digitalright.digitalriver.com/DigitalRight
Source: jXsxjxqw.exe, jXsxjxqw.exe, 00000007.00000002.1286020675.0000000005933000.00000002.00000001.sdmpString found in binary or memory: http://webservice.digitalright.digitalriver.com/xsd
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmpString found in binary or memory: https://a5ae9877-a-62cb3a1a-s-sites.googlegroups.com/
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmpString found in binary or memory: https://a5ae9877-a-62cb3a1a-s-sites.googlegroups.com/site/xbet362/control.zip?attachauth=ANoY7cpPZGa
Source: jXsxjxqw.exe, 00000002.00000003.1145530377.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1141079356.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1143688849.000000000AD68000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1253815432.000000000A94D000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1251969347.000000000A951000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1249236590.000000000A337000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
Source: jXsxjxqw.exe, 00000002.00000003.1141519746.000000000A9F6000.00000004.00000001.sdmpString found in binary or memory: https://chrome.google.com/webstore/de
Source: jXsxjxqw.exe, 00000007.00000003.1254227014.000000000A316000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1252169436.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://chrome.google.com/webstore/detail/apdfllckaahabafndbhieahigkjlhalf
Source: sSwGUuStAT.msiString found in binary or memory: https://d.symcb.com/cps0%
Source: sSwGUuStAT.msiString found in binary or memory: https://d.symcb.com/rpa0
Source: sSwGUuStAT.msiString found in binary or memory: https://d.symcb.com/rpa0.
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com
Source: jXsxjxqw.exe, 00000007.00000003.1252256485.000000000A943000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000002.1270764061.00000000019D8000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/
Source: jXsxjxqw.exe, 00000007.00000002.1287868386.000000000A2B0000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/#
Source: jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com//
Source: jXsxjxqw.exe, 00000007.00000002.1270764061.00000000019D8000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/2
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/T478Md
Source: jXsxjxqw.exe, 00000007.00000002.1270764061.00000000019D8000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/V
Source: jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/W
Source: jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/d
Source: jXsxjxqw.exe, 00000007.00000003.1254227014.000000000A316000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1252169436.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/cspreport;script-src
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1-NZxqAKYFK-c1c_80VjLHfhLNlb8cK5u-jy-5VSeOto
Source: jXsxjxqw.exe, 00000002.00000003.1148939046.0000000006187000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1257527595.0000000006197000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000002.1270764061.00000000019D8000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/document/d/1-NZxqAKYFK-c1c_80VjLHfhLNlb8cK5u-jy-5VSeOto/edit
Source: jXsxjxqw.exe, 00000007.00000002.1287868386.000000000A2B0000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1-NZxqAKYFK-c1c_80VjLHfhLNlb8cK5u-jy-5VSeOto/edit41-11D1-8B0
Source: jXsxjxqw.exe, 00000007.00000002.1270764061.00000000019D8000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/document/d/1-NZxqAKYFK-c1c_80VjLHfhLNlb8cK5u-jy-5VSeOto/edit;
Source: jXsxjxqw.exe, 00000007.00000003.1254227014.000000000A316000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1-NZxqAKYFK-c1c_80VjLHfhLNlb8cK5u-jy-5VSeOto/edit?usp=embed_faceb
Source: jXsxjxqw.exe, 00000007.00000002.1287868386.000000000A2B0000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1-NZxqAKYFK-c1c_80VjLHfhLNlb8cK5u-jy-5VSeOto/editL.log(Erro
Source: jXsxjxqw.exe, 00000007.00000002.1287868386.000000000A2B0000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/10Yx33pplUYa46H45-r7JrdKsUMgeXcxMn2_AABUrsfE
Source: jXsxjxqw.exe, 00000002.00000003.1148939046.0000000006187000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1257527595.0000000006197000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000002.1287868386.000000000A2B0000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/10Yx33pplUYa46H45-r7JrdKsUMgeXcxMn2_AABUrsfE/edit
Source: jXsxjxqw.exe, 00000007.00000003.1252169436.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/10Yx33pplUYa46H45-r7JrdKsUMgeXcxMn2_AABUrsfE/edit?usp=embed_faceb
Source: jXsxjxqw.exe, 00000007.00000002.1270764061.00000000019D8000.00000004.00000020.sdmpString found in binary or memory: https://docs.google.com/document/d/10Yx33pplUYa46H45-r7JrdKsUMgeXcxMn2_AABUrsfE/editp
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/10Yx3Q
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1hp6jZYnlZAtMZgIpw2YGyciS1qxck-OUPteOw9sFhX0/edit
Source: jXsxjxqw.exe, 00000002.00000002.1181283489.000000000AD60000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1141496078.000000000A9D4000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1141519746.000000000A9F6000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1249619288.000000000A318000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1249712284.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1hp6jZYnlZAtMZgIpw2YGyciS1qxck-OUPteOw9sFhX0/edit?usp=embed_faceb
Source: jXsxjxqw.exe, 00000002.00000003.1148939046.0000000006187000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1257527595.0000000006197000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1hp6jZYnlZAtMZgIpw2YGyciS1qxck-OUPteOw9sFhX0/editv;Fv
Source: jXsxjxqw.exe, 00000007.00000003.1249712284.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1hp6jZYnlZAtMZgIpw2YGyciS1qxck-OUPteOw9sFhX074SB
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/e
Source: jXsxjxqw.exe, 00000002.00000003.1143636797.000000000AD62000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/support/bin/static
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1249712284.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/support/bin/static.py?page
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/tor)O
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/fi
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/file/d/1-NZxqAKYFK-c1c_80VjLHfhLNlb8cK5u-jy-5VSeOto/view?us
Source: jXsxjxqw.exe, 00000002.00000003.1141496078.000000000A9D4000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1143636797.000000000AD62000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://enterprisesearch-pa.googleapis.com
Source: jXsxjxqw.exe, 00000007.00000003.1256020792.0000000001A96000.00000004.00000001.sdmpString found in binary or memory: https://google.com/
Source: jXsxjxqw.exe, 00000007.00000003.1256020792.0000000001A96000.00000004.00000001.sdmpString found in binary or memory: https://google.com/X
Source: jXsxjxqw.exe, 00000007.00000003.1252169436.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://lh3.googleusercontent.com/o0bx71K0PgMBHAqgNpF_T_QpYnCZZX8Gm29Bt2H1CdXBHFdn8nJOeZtkta56HA3zqg
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://lh3.googleusercontent.com/o0bx71K0PgMBHAqgNpF_T_QpYnCZZX8Gm29Bt2j
Source: jXsxjxqw.exe, 00000007.00000003.1254227014.000000000A316000.00000004.00000001.sdmpString found in binary or memory: https://lh4.googleusercontent.com/55O01-X8xepr748t_7Rp1eyJBxuHyuh9x4c3b7rXAZuwDmBDRRYOYq7zkySHVr_rGW
Source: jXsxjxqw.exe, 00000002.00000002.1181283489.000000000AD60000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1141496078.000000000A9D4000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1141519746.000000000A9F6000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1249619288.000000000A318000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1249712284.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://lh6.googleusercontent.com/r7de9fZJNfdzRGtH3GErFEbOhxbNslRM_v6J5YyTRMk2v6DDirWfwSbmckxLcGLF-V
Source: jXsxjxqw.exe, 00000002.00000003.1145530377.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1141079356.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1143688849.000000000AD68000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1253815432.000000000A94D000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1251969347.000000000A951000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1249236590.000000000A337000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/app/so
Source: msiexec.exe, 00000001.00000003.1083477636.0000000002F6A000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://pki.kP
Source: msiexec.exe, 00000001.00000003.1115222590.0000000004DE8000.00000004.00000001.sdmpString found in binary or memory: https://sites.google.com/site/xbet362/control.zip
Source: jXsxjxqw.exe, 00000007.00000003.1254227014.000000000A316000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1252169436.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://ssl.gstatic.com/docs/documents/images/kix-favicon7.ico
Source: sSwGUuStAT.msiString found in binary or memory: https://www.advancedinstaller.com
Source: jXsxjxqw.exe, 00000002.00000003.1145530377.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1141079356.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1143688849.000000000AD68000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1253815432.000000000A94D000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1251969347.000000000A951000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1249236590.000000000A337000.00000004.00000001.sdmpString found in binary or memory: https://www.google.co.uk/intl/en-GB/about/products
Source: jXsxjxqw.exe, 00000002.00000003.1145530377.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1253815432.000000000A94D000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
Source: jXsxjxqw.exe, 00000002.00000003.1145530377.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1141079356.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1143688849.000000000AD68000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1253815432.000000000A94D000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1251969347.000000000A951000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1249236590.000000000A337000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.EqBcnH-TWRk.O/rt=j/m=qabr
Source: jXsxjxqw.exe, 00000007.00000003.1249712284.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.EqBcnH-TWRk.O/rt=j/m=qd
Source: jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.EqBcnH-TWRk.O/rt=j/m=qds
Source: jXsxjxqw.exe, 00000002.00000003.1145530377.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1141079356.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1143688849.000000000AD68000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1253815432.000000000A94D000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1251969347.000000000A951000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1249236590.000000000A337000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.EqBcnH-TWRk.O/rt=j/m=qdsh/d=1/ed=1/rs=AA2YrTv1lGDphP_
Source: jXsxjxqw.exe, 00000002.00000003.1145530377.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1141079356.000000000AA16000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000002.00000003.1143688849.000000000AD68000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1253815432.000000000A94D000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1251969347.000000000A951000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1249236590.000000000A337000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.15aandm11is4m.L.X.O/m=qcwid/excm=qaaw
Source: sSwGUuStAT.msiString found in binary or memory: https://www.thawte.com/cps0/
Source: sSwGUuStAT.msiString found in binary or memory: https://www.thawte.com/repository0W
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944

Operating System Destruction:

barindex
Contains functionality to access PhysicalDrive, possible boot sector overwriteShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_05908680 CreateFileA on filename \\.\PHYSICALDRIVE02_2_05908680

System Summary:

barindex
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_05908680: CreateFileA,DeviceIoControl,FindCloseChangeNotification,LoadLibraryA,GetProcAddress,GetLastError,GetDiskFreeSpaceA,2_2_05908680
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_0591D5902_2_0591D590
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_058FA5B02_2_058FA5B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_058F95E02_2_058F95E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_058F55702_2_058F5570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_0590C1D02_2_0590C1D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_059201C02_2_059201C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 7_2_058FD5907_2_058FD590
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 7_2_058DA5B07_2_058DA5B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 7_2_058D95E07_2_058D95E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 7_2_058D55707_2_058D5570
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive2 702837E4ED225123EC1161CC53F7731E9B363ABC3301AB7FA1A92F810BB943D2
Enables driver privilegesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess token adjusted: Load DriverJump to behavior
Enables security privilegesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess token adjusted: SecurityJump to behavior
PE file contains more sections than normalShow sources
Source: drive2.1.drStatic PE information: Number of sections : 16 > 10
Sample file is different than original file name gathered from version infoShow sources
Source: sSwGUuStAT.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs sSwGUuStAT.msi
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeSection loaded: u3dapi10.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal88.adwa.evad.winMSI@11/6@1/1
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_05908680 CreateFileA,DeviceIoControl,FindCloseChangeNotification,LoadLibraryA,GetProcAddress,GetLastError,GetDiskFreeSpaceA,2_2_05908680
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKxcaLnV.zipJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeMutant created: \Sessions\1\BaseNamedObjects\7BEB42782019
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeMutant created: \Sessions\1\BaseNamedObjects\RAL1DAED25C
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeMutant created: \Sessions\1\BaseNamedObjects\1DAED25C::WK
Creates temporary filesShow sources
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI98c3f.LOGJump to behavior
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
SQL strings found in memory and binary dataShow sources
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: jXsxjxqw.exe, 00000002.00000002.1156340795.0000000000CD2000.00000004.00020000.sdmp, jXsxjxqw.exe, 00000007.00000003.1226033802.0000000005256000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE xx( name STRING, /* Name of table or index */ path INTEGER, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype STRING, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Sample is a Windows installerShow sources
Source: sSwGUuStAT.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
Sample is known by AntivirusShow sources
Source: sSwGUuStAT.msiVirustotal: Detection: 31%
Source: sSwGUuStAT.msiReversingLabs: Detection: 38%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\sSwGUuStAT.msi'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 59BB6A005034473A0E1459A0A54C1781
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill -f -imchrome.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill -f -imchrome.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill -f -imchrome.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill -f -imchrome.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdba source: sSwGUuStAT.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: sSwGUuStAT.msi

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_05908680 CreateFileA,DeviceIoControl,FindCloseChangeNotification,LoadLibraryA,GetProcAddress,GetLastError,GetDiskFreeSpaceA,2_2_05908680
Entry point lies outside standard sectionsShow sources
Source: initial sampleStatic PE information: section where entry point is pointing to: .text1
PE file contains sections with non-standard namesShow sources
Source: drive2.1.drStatic PE information: section name: .didata
Source: drive2.1.drStatic PE information: section name: .text1
Source: drive2.1.drStatic PE information: section name: .adata
Source: drive2.1.drStatic PE information: section name: .data1
Source: drive2.1.drStatic PE information: section name: .reloc1

Persistence and Installation Behavior:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: CreateFileA,DeviceIoControl,FindCloseChangeNotification,LoadLibraryA,GetProcAddress,GetLastError,GetDiskFreeSpaceA, \\.\PHYSICALDRIVE02_2_05908680
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive2Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive2Jump to dropped file

Boot Survival:

barindex
Contains functionality to infect the boot sectorShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: CreateFileA,DeviceIoControl,FindCloseChangeNotification,LoadLibraryA,GetProcAddress,GetLastError,GetDiskFreeSpaceA, \\.\PHYSICALDRIVE02_2_05908680
Drops PE files to the startup folderShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive2Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKxcaLnV.zipJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKxcaLnV.zipJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive2Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in alternative data streams (ADS)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile created: C:\ProgramData\TEMP:B851648EJump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\WMI : MSSMBios_RawSMBiosTables
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\WMI : MSSMBios_RawSMBiosTables
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\WMI : MSSMBios_RawSMBiosTables
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDateJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5152Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2400Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5152Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe TID: 1716Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe TID: 1716Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe TID: 5140Thread sleep time: -60000s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile opened: PHYSICALDRIVE0Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem WHERE (Manufacturer LIKE'%VMware%') Or (Manufacturer LIKE'%innotek%') Or (Manufacturer LIKE'%Microsoft%') Or (Manufacturer LIKE'%RingCube%')
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem WHERE (Manufacturer LIKE'%VMware%') Or (Manufacturer LIKE'%innotek%') Or (Manufacturer LIKE'%Microsoft%') Or (Manufacturer LIKE'%RingCube%')
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Checks the free space of harddrivesShow sources
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_059031B0 GetModuleFileNameA,_strrchr,LdrInitializeThunk,GetWindowsDirectoryA,GetSystemDirectoryA,GetTempPathA,GetSystemTimeAsFileTime,FindFirstFileA,FileTimeToSystemTime,CompareFileTime,CompareFileTime,FindNextFileA,FindClose,2_2_059031B0
Enumerates the file systemShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: jXsxjxqw.exeBinary or memory string: VMware
Source: jXsxjxqw.exe, 00000007.00000003.1258850322.000000000A170000.00000004.00000001.sdmpBinary or memory string: '%VMware%'A^
Source: jXsxjxqw.exe, 00000002.00000002.1180552644.000000000A8C0000.00000002.00000001.sdmp, jXsxjxqw.exe, 00000007.00000002.1288229298.000000000A5D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: jXsxjxqw.exe, 00000007.00000002.1287868386.000000000A2B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW;
Source: jXsxjxqw.exe, 00000007.00000003.1259410409.0000000005580000.00000004.00000001.sdmpBinary or memory string: SELECT * FROM Win32_ComputerSystem WHERE (Manufacturer LIKE'%VMware%') Or (Manufacturer LIKE'%innotek%') Or (Manufacturer LIKE'%Microsoft%') Or (Manufacturer LIKE'%RingCube%')
Source: jXsxjxqw.exe, 00000007.00000002.1286020675.0000000005933000.00000002.00000001.sdmpBinary or memory string: LICENSEKey, %d,%d,%d,%d,%d,%d_RL%08X:SIMULATEEXPIREDLSI-%08XREDIRECT*.INIRESETSLEFTFIRSTRUNVirtualPC/MacVMwareEMULATORVirtualPCTOTALUSESALLKEYSTOTALUSESDR_TAGGEDCONTROLPIDVERSIONNUMBER%u.%02uENHFINGERPRINTV1FINGERPRINTV1ENHFINGERPRINT????-????FINGERPRINTDATELASTRUNGetProcAddressAPROTECTEDFILEPATHPROTECTEDFILEPortableKey280783139651209566452745415942440341413796694838494341377539457004859076682858951705530102803445146243GetRevenueShareParamsRS.DLLAffID=<>
Source: jXsxjxqw.exe, 00000002.00000002.1180998930.000000000A9B0000.00000004.00000001.sdmp, jXsxjxqw.exe, 00000007.00000003.1254340590.000000000A2D9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: jXsxjxqw.exe, 00000007.00000002.1270764061.00000000019D8000.00000004.00000020.sdmpBinary or memory string: SELECT * FROM Win32_ComputerSystem WHERE (Manufacturer LIKE'%VMware%') Or (Manufacturer LIKE'%innotek%') Or (Manufacturer LIKE'%Microsoft%') Or (Manufacturer LIKE'%RingCube%')R_PROF@
Source: jXsxjxqw.exe, 00000007.00000002.1270764061.00000000019D8000.00000004.00000020.sdmpBinary or memory string: SELECT * FROM Win32_ComputerSystem WHERE (Manufacturer LIKE'%VMware%') Or (Manufacturer LIKE'%innotek%') Or (Manufacturer LIKE'%Microsoft%') Or (Manufacturer LIKE'%RingCube%')R_IDEN
Source: jXsxjxqw.exe, 00000002.00000002.1180552644.000000000A8C0000.00000002.00000001.sdmp, jXsxjxqw.exe, 00000007.00000002.1288229298.000000000A5D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: jXsxjxqw.exe, 00000002.00000002.1180552644.000000000A8C0000.00000002.00000001.sdmp, jXsxjxqw.exe, 00000007.00000002.1288229298.000000000A5D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: jXsxjxqw.exe, 00000007.00000003.1259410409.0000000005580000.00000004.00000001.sdmpBinary or memory string: SELECT * FROM Win32_ComputerSystem WHERE (Manufacturer LIKE'%VMware%') Or (Manufacturer LIKE'%innotek%') Or (Manufacturer LIKE'%Microsoft%') Or (Manufacturer LIKE'%RingCube%')t
Source: jXsxjxqw.exe, 00000007.00000002.1270764061.00000000019D8000.00000004.00000020.sdmpBinary or memory string: SELECT * FROM Win32_ComputerSystem WHERE (Manufacturer LIKE'%VMware%') Or (Manufacturer LIKE'%innotek%') Or (Manufacturer LIKE'%Microsoft%') Or (Manufacturer LIKE'%RingCube%')\OpenS.
Source: jXsxjxqw.exe, 00000002.00000002.1180552644.000000000A8C0000.00000002.00000001.sdmp, jXsxjxqw.exe, 00000007.00000002.1288229298.000000000A5D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeOpen window title or class name: regmonclass
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeOpen window title or class name: filemonclass
Checks for debuggers (devices)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile opened: SIWDEBUG
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile opened: NTICE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile opened: SuperBPMDev0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile opened: SICE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeFile opened: SIWVID
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_0591D590 _strlen,_strlen,_strlen,_sprintf,LdrInitializeThunk,LdrInitializeThunk,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_strlen,_strlen,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_sprintf,_strlen,_sprintf,2_2_0591D590
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_05908680 CreateFileA,DeviceIoControl,FindCloseChangeNotification,LoadLibraryA,GetProcAddress,GetLastError,GetDiskFreeSpaceA,2_2_05908680
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe' Jump to behavior
Uses taskkill to terminate processesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill -f -imchrome.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill -f -imchrome.exeJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKxcaLnV.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKxcaLnV.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKxcaLnV.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKxcaLnV.zip VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKxcaLnV.zip VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_059031B0 GetModuleFileNameA,_strrchr,LdrInitializeThunk,GetWindowsDirectoryA,GetSystemDirectoryA,GetTempPathA,GetSystemTimeAsFileTime,FindFirstFileA,FileTimeToSystemTime,CompareFileTime,CompareFileTime,FindNextFileA,FindClose,2_2_059031B0
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exeCode function: 2_2_0590C1D0 _memset,GetModuleFileNameA,_strrchr,GetVersionExA,IsBadStringPtrA,IsBadCodePtr,VirtualProtect,IsBadWritePtr,VirtualProtect,2_2_0590C1D0

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 225220 Sample: sSwGUuStAT Startdate: 24/04/2020 Architecture: WINDOWS Score: 88 35 Antivirus detection for dropped file 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 4 other signatures 2->41 8 msiexec.exe 2 4 2->8         started        13 jXsxjxqw.exe 31 3 2->13         started        15 msiexec.exe 3 2->15         started        process3 dnsIp4 31 googlegroups.l.googleusercontent.com 108.177.119.137, 443, 49944 unknown United States 8->31 33 a5ae9877-a-62cb3a1a-s-sites.googlegroups.com 8->33 27 C:\Users\user\AppData\Roaming\...\drive2, PE32 8->27 dropped 43 Drops PE files to the startup folder 8->43 17 jXsxjxqw.exe 7 2 8->17         started        29 C:\ProgramData\TEMP:B851648E, data 13->29 dropped 45 Creates files in alternative data streams (ADS) 13->45 19 taskkill.exe 1 13->19         started        file5 signatures6 process7 process8 21 taskkill.exe 1 17->21         started        23 conhost.exe 19->23         started        process9 25 conhost.exe 21->25         started       

Simulations

Behavior and APIs

TimeTypeDescription
19:33:07API Interceptor4x Sleep call for process: msiexec.exe modified
19:33:14AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive2
19:33:23API Interceptor16x Sleep call for process: jXsxjxqw.exe modified
19:33:23AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKxcaLnV.zip
19:33:37AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXsxjxqw.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sSwGUuStAT.msi31%VirustotalBrowse
sSwGUuStAT.msi39%ReversingLabsScript-JS.Downloader.Sneaky

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive2100%AviraHEUR/AGEN.1040415
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive231%VirustotalBrowse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive265%ReversingLabsWin32.Trojan.Zumanek

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
7.1.jXsxjxqw.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.0.jXsxjxqw.exe.400000.0.unpack100%AviraHEUR/AGEN.1028813Download File
2.1.jXsxjxqw.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
7.0.jXsxjxqw.exe.400000.0.unpack100%AviraHEUR/AGEN.1028813Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.pki.goog/gts1o100%VirustotalBrowse
http://ocsp.pki.goog/gts1o100%URL Reputationsafe
http://www.microsoft.co0%VirustotalBrowse
http://www.microsoft.co0%URL Reputationsafe
http://pki.goog/gsr2/GTS1O1.crt00%VirustotalBrowse
http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
http://ocsp.pki.goog/gsr2020%VirustotalBrowse
http://ocsp.pki.goog/gsr2020%URL Reputationsafe
https://pki.goog/repository/00%VirustotalBrowse
https://pki.goog/repository/00%URL Reputationsafe
https://pki.kP0%Avira URL Cloudsafe
http://23.82.140.93/outletbrasil.com.br/novidades/acessorios/aviso1/index.php1%VirustotalBrowse
http://23.82.140.93/outletbrasil.com.br/novidades/acessorios/aviso1/index.php0%Avira URL Cloudsafe
http://crl.pki.goog/gs0%Avira URL Cloudsafe
http://pki.goog/gsr2/GTS1O1.crt0/0%Avira URL Cloudsafe
https://www.google.co.uk/intl/en-GB/about/products0%URL Reputationsafe
http://ocsp.pki.goog/gX0%Avira URL Cloudsafe
http://crl.glG0%Avira URL Cloudsafe
http://crl.pki.goog/gsr2/gsr2.crl0?0%VirustotalBrowse
http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
http://crl.pki.goog/GTS1O1.crl00%VirustotalBrowse
http://crl.pki.goog/GTS1O1.crl00%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
108.177.119.137DCR-30209829874987903.msiGet hashmaliciousBrowse

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    googlegroups.l.googleusercontent.comDCR-30209829874987903.msiGet hashmaliciousBrowse
    • 108.177.119.137
    IMG_20170109_181125_550.exeGet hashmaliciousBrowse
    • 74.125.140.137
    https://sites.google.com/site/irsrefundforms/72456/Refund_form_id762154.zipGet hashmaliciousBrowse
    • 173.194.76.137

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    unknownhttp://www.eicar.org/download/eicarcom2.zipGet hashmaliciousBrowse
    • 213.211.198.62
    app-release_PEPP-PT_NTK.apkGet hashmaliciousBrowse
    • 108.177.119.188
    https://view.genial.ly/5ea30fd1ac2fa10e22d3b5fbGet hashmaliciousBrowse
    • 34.241.98.114
    https://marco-genoni.gitbook.io/marshall-rodenoGet hashmaliciousBrowse
    • 104.26.6.205
    Michael Smith.xlsGet hashmaliciousBrowse
    • 5.101.51.127
    https://app-login-webex.com/Get hashmaliciousBrowse
    • 172.217.168.38
    emwkvlhvf.jsGet hashmaliciousBrowse
    • 127.0.0.1
    emwkvlhvf.jsGet hashmaliciousBrowse
    • 127.0.0.1
    Maria Hernandez.xlsGet hashmaliciousBrowse
    • 5.101.51.127
    Judgement_04222020_40954.vbsGet hashmaliciousBrowse
    • 156.239.159.218
    Spam mail-Sharefile_reported by TB.hTMGet hashmaliciousBrowse
    • 152.199.23.37
    COVID-19 PROGRAM !!!.docxGet hashmaliciousBrowse
    • 91.198.174.208
    COVID-19 PROGRAM !!!.docxGet hashmaliciousBrowse
    • 91.198.174.208
    GandCrab_Stub(5).exeGet hashmaliciousBrowse
    • 66.171.248.178
    https://requestmmessages.blob.core.windows.net/request/ai.htmlGet hashmaliciousBrowse
    • 52.239.138.100
    https://is.gd/AeDFMcGet hashmaliciousBrowse
    • 52.72.251.198
    DM43999_CHECKLIST.xlsGet hashmaliciousBrowse
    • 52.114.128.70
    GandCrab_Stub(3).exeGet hashmaliciousBrowse
    • 66.171.248.178
    Shipping Doc 20200423213605.F02941EA03C68A50@hotmail.com.HTMLGet hashmaliciousBrowse
    • 152.199.21.118
    GandCrab_Stub(2).exeGet hashmaliciousBrowse
    • 66.171.248.178

    JA3 Fingerprints

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    ce5f3254611a8c095a3d821d44539877Judgement_04222020_40954.vbsGet hashmaliciousBrowse
    • 108.177.119.137
    Judgement_04222020_616.vbsGet hashmaliciousBrowse
    • 108.177.119.137
    svhost.exeGet hashmaliciousBrowse
    • 108.177.119.137
    749dd3optoor.exeGet hashmaliciousBrowse
    • 108.177.119.137
    Judgement_04222020_553.vbsGet hashmaliciousBrowse
    • 108.177.119.137
    Remittance Advice.xlsxGet hashmaliciousBrowse
    • 108.177.119.137
    Payment Receipt.xlsxGet hashmaliciousBrowse
    • 108.177.119.137
    Payment Receipt.xlsxGet hashmaliciousBrowse
    • 108.177.119.137
    DCR-30209829874987903.msiGet hashmaliciousBrowse
    • 108.177.119.137
    Bq0bgeZvMS.exeGet hashmaliciousBrowse
    • 108.177.119.137
    Quotation List.exeGet hashmaliciousBrowse
    • 108.177.119.137
    Book1.xlsGet hashmaliciousBrowse
    • 108.177.119.137
    Payment_Invoice.xlsxGet hashmaliciousBrowse
    • 108.177.119.137
    ResistanceWallet-windows-2.2.7.exeGet hashmaliciousBrowse
    • 108.177.119.137
    irs Doc Attached.exeGet hashmaliciousBrowse
    • 108.177.119.137
    Ayuda Covid-19.JSGet hashmaliciousBrowse
    • 108.177.119.137
    MSShell32.exeGet hashmaliciousBrowse
    • 108.177.119.137
    Book2.xlsxGet hashmaliciousBrowse
    • 108.177.119.137
    http://malwarebytes-free.com/Get hashmaliciousBrowse
    • 108.177.119.137
    Pdf Document.exeGet hashmaliciousBrowse
    • 108.177.119.137

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drive2DCR-30209829874987903.msiGet hashmaliciousBrowse

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.