Loading ...

Play interactive tourEdit tour

Analysis Report bXgrbzqGSj.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:228480
Start date:08.05.2020
Start time:00:56:27
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 38s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:bXgrbzqGSj.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal96.troj.evad.winEXE@5/44@1/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 91% (good quality ratio 88.6%)
  • Quality average: 84.8%
  • Quality standard deviation: 23.7%
HCA Information:
  • Successful, ratio: 51%
  • Number of executed functions: 27
  • Number of non-executed functions: 34
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold960 - 100false
Remcos
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScheduled Task1Hooking1Hooking1Masquerading11Hooking1Virtualization/Sandbox Evasion11Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaService ExecutionScheduled Task1Access Token Manipulation1Virtualization/Sandbox Evasion11Input Capture1Process Discovery2Remote ServicesClipboard Data1Exfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesProcess Injection212Access Token Manipulation1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareScheduled Task1Process Injection212Credentials in FilesSecurity Software Discovery11Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceFile and Directory Discovery3Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery13Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Enceinte.dllVirustotal: Detection: 7%Perma Link
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeVirustotal: Detection: 23%Perma Link
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeReversingLabs: Detection: 22%
Multi AV Scanner detection for submitted fileShow sources
Source: bXgrbzqGSj.exeVirustotal: Detection: 20%Perma Link
Source: bXgrbzqGSj.exeReversingLabs: Detection: 58%
Machine Learning detection for sampleShow sources
Source: bXgrbzqGSj.exeJoe Sandbox ML: detected

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_00406313 FindFirstFileA,FindClose,0_2_00406313
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004057D8
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeCode function: 2_2_00361000 EntryPoint,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,LoadLibraryA,WSAGetLastError,SetThreadPriority,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,GetProcAddress,WritePrivateProfileStringW,GetLogicalDriveStringsA,MoveFileA,SetCommBreak,SetEndOfFile,DragObject,DrawMenuBar,OpenIcon,RemoveMenu,SystemParametersInfoW,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,2_2_00361000

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2025637 ET TROJAN Remcos RAT Checkin 23 192.168.2.5:49739 -> 181.52.103.140:1011
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: remcquince.duckdns.org
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49739 -> 181.52.103.140:1011
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: remcquince.duckdns.org
Urls found in memory or binary dataShow sources
Source: model106.xml.0.drString found in binary or memory: http://gimp-print.sourceforge.net/xsd/gp.xsd-1.0
Source: bXgrbzqGSj.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: bXgrbzqGSj.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: u2lsamp1.dll.0.drString found in binary or memory: http://www.businessobjects.com0
Source: x-vorbis+ogg.xml.0.dr, x-applix-word.xml.0.dr, x-canon-cr2.xml.0.dr, x-yaml.xml.0.dr, x-lzma-compressed-tar.xml.0.dr, x-java-keystore.xml.0.dr, spreadsheet.xml.0.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
Source: kingsaudience.xml.0.drString found in binary or memory: http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_00405275 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405275
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Semiramis.exe, 00000002.00000002.820371643.000000000050A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\shutdown.jobJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_00406FC40_2_00406FC4
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_004067ED0_2_004067ED
Sample file is different than original file name gathered from version infoShow sources
Source: bXgrbzqGSj.exe, 00000000.00000002.822750258.000000000040A000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameAWCCApplicationWatcher64.exe> vs bXgrbzqGSj.exe
Source: bXgrbzqGSj.exe, 00000000.00000002.822750258.000000000040A000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamemscorie.dllT vs bXgrbzqGSj.exe
Classification labelShow sources
Source: classification engineClassification label: mal96.troj.evad.winEXE@5/44@1/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_00404530 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404530
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Roaming\messagingJump to behavior
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\cmd.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-MKKL3U
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Local\Temp\nsu3DF0.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: bXgrbzqGSj.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: bXgrbzqGSj.exeVirustotal: Detection: 20%
Source: bXgrbzqGSj.exeReversingLabs: Detection: 58%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile read: C:\Users\user\Desktop\bXgrbzqGSj.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\bXgrbzqGSj.exe 'C:\Users\user\Desktop\bXgrbzqGSj.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Semiramis.exe C:\Users\user\AppData\Local\Temp\Semiramis.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeProcess created: C:\Users\user\AppData\Local\Temp\Semiramis.exe C:\Users\user\AppData\Local\Temp\Semiramis.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: bXgrbzqGSj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualC.VSCodeProvider.pdb source: MCppCodeDomProvider.dll.0.dr
Source: Binary string: vcencbld.pdb source: vcencbld.dll.0.dr
Source: Binary string: sgen.pdb4 source: sgen.exe.0.dr
Source: Binary string: f:\clr\bin\i386\bbt\sbs_aspnet_isapi.pdb source: sbsVsaVb7rt.dll.0.dr
Source: Binary string: mscorie.pdb source: mscorie.dll.0.dr
Source: Binary string: cmaccept.pdb source: CMAccept.exe.0.dr
Source: Binary string: vcencbld.pdb`A source: vcencbld.dll.0.dr
Source: Binary string: DesktopDMA.pdb source: DesktopDMA.dll.0.dr
Source: Binary string: System.EnterpriseServices.Thunk.pdb source: SystemEnterpriseServicesThunk.dll.0.dr
Source: Binary string: y:\components\cpp\ufls\uflsamp1\Release\u25samp1.pdb source: u2lsamp1.dll.0.dr
Source: Binary string: sgen.pdb source: sgen.exe.0.dr
Source: Binary string: cmaccept.pdbp@- source: CMAccept.exe.0.dr
Source: Binary string: System.EnterpriseServices.Thunk.pdb 3 source: SystemEnterpriseServicesThunk.dll.0.dr

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Local\Temp\boutique\welcome\none\mfcmifc80.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Local\Temp\boutique\welcome\none\u2lsamp1.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Roaming\erros\album\sysadmin2\vcencbld.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Roaming\consulting\boxes\diffs\MCppCodeDomProvider.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Local\Temp\Enceinte.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Roaming\messaging\styles\CMAccept.exeJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Local\Temp\boutique\welcome\none\DesktopDMA.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Roaming\is-bin\cfcache\sources\sgen.exeJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Roaming\pad\2000\_common\mscorie.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Local\Temp\Semiramis.exeJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Local\Temp\replication\treasury\sbsVsaVb7rt.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeFile created: C:\Users\user\AppData\Local\Temp\boutique\welcome\none\SystemEnterpriseServicesThunk.dllJump to dropped file

Boot Survival:

barindex
Creates job files (autostart)Show sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\Tasks\shutdown.jobJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 77934A40 value: E9 FB 74 FB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 77934AE0 value: E9 6B 74 FB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 77934B70 value: E9 AB 73 FB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 77934B80 value: E9 DB 73 FB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 77934B90 value: E9 5B 73 FB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 7794F8E0 value: E9 9B FF FF FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 778E3850 value: E9 6B 78 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 778E50A0 value: E9 EB 6E 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 778A6560 value: E9 0B 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 778AB4A0 value: E9 7B 46 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 778CDF80 value: E9 0B 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 778EFB90 value: E9 E1 52 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3896 base: 778EFD60 value: E9 26 5B 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 77934A40 value: E9 FB 74 FB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 77934AE0 value: E9 6B 74 FB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 77934B70 value: E9 AB 73 FB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 77934B80 value: E9 DB 73 FB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 77934B90 value: E9 5B 73 FB FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 7794F8E0 value: E9 9B FF FF FF Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778E3850 value: E9 6B 78 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778E50A0 value: E9 EB 6E 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778A6560 value: E9 0B 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778AB4A0 value: E9 7B 46 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778CDF80 value: E9 0B 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778EFB90 value: E9 E1 52 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778EFD60 value: E9 26 5B 00 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 77934A40 value: E9 FB 74 FB FF Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 77934AE0 value: E9 6B 74 FB FF Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 77934B70 value: E9 AB 73 FB FF Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 77934B80 value: E9 DB 73 FB FF Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 77934B90 value: E9 5B 73 FB FF Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 7794F8E0 value: E9 9B FF FF FF Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 778E3850 value: E9 6B 78 00 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 778E50A0 value: E9 EB 6E 00 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 778A6560 value: E9 0B 00 00 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 778AB4A0 value: E9 7B 46 00 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 778CDF80 value: E9 0B 00 00 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 778EFB90 value: E9 E1 52 00 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 3036 base: 778EFD60 value: E9 26 5B 00 00 Jump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to delay execution (extensive OutputDebugStringW loop)Show sources
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeSection loaded: OutputDebugStringW count: 1976
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 3381Jump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\boutique\welcome\none\mfcmifc80.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\boutique\welcome\none\u2lsamp1.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\erros\album\sysadmin2\vcencbld.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\consulting\boxes\diffs\MCppCodeDomProvider.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\messaging\styles\CMAccept.exeJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\boutique\welcome\none\DesktopDMA.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\pad\2000\_common\mscorie.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-bin\cfcache\sources\sgen.exeJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\replication\treasury\sbsVsaVb7rt.dllJump to dropped file
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\boutique\welcome\none\SystemEnterpriseServicesThunk.dllJump to dropped file
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\SysWOW64\cmd.exe TID: 4228Thread sleep count: 3381 > 30Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 4228Thread sleep time: -33810000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 480Thread sleep count: 72 > 30Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 480Thread sleep time: -72000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5016Thread sleep count: 64 > 30Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5016Thread sleep time: -64000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_00406313 FindFirstFileA,FindClose,0_2_00406313
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004057D8
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeCode function: 2_2_00361000 EntryPoint,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,LoadLibraryA,WSAGetLastError,SetThreadPriority,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,GetProcAddress,WritePrivateProfileStringW,GetLogicalDriveStringsA,MoveFileA,SetCommBreak,SetEndOfFile,DragObject,DrawMenuBar,OpenIcon,RemoveMenu,SystemParametersInfoW,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,2_2_00361000
Program exit pointsShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeAPI call chain: ExitProcess graph end nodegraph_0-3130
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeCode function: 2_2_00361000 EntryPoint,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,LoadLibraryA,WSAGetLastError,SetThreadPriority,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,GetProcAddress,WritePrivateProfileStringW,GetLogicalDriveStringsA,MoveFileA,SetCommBreak,SetEndOfFile,DragObject,DrawMenuBar,OpenIcon,RemoveMenu,SystemParametersInfoW,WSAGetLastError,SetThreadPriority,SignalObjectAndWait,DeleteAtom,OutputDebugStringA,2_2_00361000
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeCode function: 2_2_0036186D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0036186D
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeCode function: 2_2_740D267B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_740D267B

HIPS / PFW / Operating System Protection Evasion:

barindex
Hijacks the control flow in another processShow sources
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 77934A40 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 77934AE0 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 77934B70 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 77934B80 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 77934B90 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 7794F8E0 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778E3850 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778E50A0 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778A6560 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778AB4A0 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778CDF80 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778EFB90 value: E9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeMemory written: PID: 3036 base: 778EFD60 value: E9Jump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\AppData\Local\Temp\Semiramis.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: logs.dat.3.drBinary or memory string: [ Program Manager ]

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\bXgrbzqGSj.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
00:57:05API Interceptor4194x Sleep call for process: cmd.exe modified
00:57:13Task SchedulerRun new task: shutdown path: C:\Users\user\AppData\Roaming\erros\shutdown.exe s>/pjvxpbb:0653864 /zhge /vaycd:91543 /jpft /ie
00:57:13AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shutdown.lnk

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
bXgrbzqGSj.exe20%VirustotalBrowse
bXgrbzqGSj.exe58%ReversingLabsWin32.Trojan.Kryptik
bXgrbzqGSj.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\Enceinte.dll7%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Semiramis.exe24%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\Semiramis.exe23%ReversingLabsWin32.Trojan.Injector
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\DesktopDMA.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\DesktopDMA.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\SystemEnterpriseServicesThunk.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\SystemEnterpriseServicesThunk.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\mfcmifc80.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\mfcmifc80.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\u2lsamp1.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\boutique\welcome\none\u2lsamp1.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\replication\treasury\sbsVsaVb7rt.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\replication\treasury\sbsVsaVb7rt.dll0%MetadefenderBrowse
C:\Users\user\AppData\Roaming\consulting\boxes\diffs\MCppCodeDomProvider.dll0%VirustotalBrowse
C:\Users\user\AppData\Roaming\consulting\boxes\diffs\MCppCodeDomProvider.dll0%MetadefenderBrowse
C:\Users\user\AppData\Roaming\erros\album\sysadmin2\vcencbld.dll0%VirustotalBrowse
C:\Users\user\AppData\Roaming\is-bin\cfcache\sources\sgen.exe0%VirustotalBrowse
C:\Users\user\AppData\Roaming\is-bin\cfcache\sources\sgen.exe0%MetadefenderBrowse
C:\Users\user\AppData\Roaming\messaging\styles\CMAccept.exe0%VirustotalBrowse
C:\Users\user\AppData\Roaming\messaging\styles\CMAccept.exe0%MetadefenderBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.businessobjects.com00%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview


System Summary:

barindex
Sigma detected: RemcosShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 3036, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownhttps://kummy.ga/000/nsw/data/UntitledNotebook1.htmlGet hashmaliciousBrowse
  • 13.224.187.69
https://radiclerootsfarm.com/ebuddie/ebuddie@amerisure.comGet hashmaliciousBrowse
  • 104.16.132.229
readme.exeGet hashmaliciousBrowse
  • 216.58.207.33
Qf-9213.xlsGet hashmaliciousBrowse
  • 52.114.76.34
https://isaiahkeenan.com/petrogas/office365files/confidentialGet hashmaliciousBrowse
  • 192.185.48.148
Qf-9213.xlsGet hashmaliciousBrowse
  • 143.95.238.5
com.mywickr.wickr2.apkGet hashmaliciousBrowse
  • 108.177.96.188
Qk-4607.xlsGet hashmaliciousBrowse
  • 143.95.238.5
Qk-4607.xlsGet hashmaliciousBrowse
  • 143.95.238.5
notif.5663.xlsmGet hashmaliciousBrowse
  • 52.114.128.10
overdue invoice.vbsGet hashmaliciousBrowse
  • 107.190.129.218
http://bbtravels.com.mx/lndex.phpGet hashmaliciousBrowse
  • 207.180.254.86
https://docs.google.com/uc?export=download&id=18WkaU3uqJjGddX0C7rySxkEUcexcKAGdGet hashmaliciousBrowse
  • 216.58.215.225
info_0507.vbsGet hashmaliciousBrowse
  • 95.142.44.157
verybad.docGet hashmaliciousBrowse
  • 52.114.7.39
http://accessatt.solixcs.comGet hashmaliciousBrowse
  • 18.236.45.32
https://bousaibiyori.com/#eyJlbWFpbCI6InNvcG9ydGUudGVzb3JlcmlhQHZ1ZWxpbmcuY29tIiwicmFuZCI6IlNhNGp1dUt6UW1OMnd1SExCUktWTGo5bkgxVHppWVdiWjFrdU1WS0RpN2Y0Uk1wM0VheTBqWUVSejdxODVuOTVFSlAxRjllTmdqclhXNzFBIn0=Get hashmaliciousBrowse
  • 3.114.172.30
- 3434.htmlGet hashmaliciousBrowse
  • 23.111.9.35
registros atuais oficiais.xlsGet hashmaliciousBrowse
  • 104.18.48.20
registros atuais oficiais.xlsGet hashmaliciousBrowse
  • 104.18.48.20

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\Users\user\AppData\Roaming\is-bin\cfcache\sources\sgen.exeDOC-INV8363753.exeGet hashmaliciousBrowse
    PO_050220.exeGet hashmaliciousBrowse
      C:\Users\user\AppData\Roaming\messaging\styles\CMAccept.exeRFQ No. PH.RS.198.2020.exeGet hashmaliciousBrowse
        Sdoc73098731234550981.exeGet hashmaliciousBrowse

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.