Loading ...

Play interactive tourEdit tour

Analysis Report 8888888.exe

Overview

General Information

Sample Name:8888888.exe
MD5:465e6dae29de0c62e3cbdd3e9b20d77b
SHA1:1c0fe9ce5dfb8448bc516196d04dba2431f9932a
SHA256:4285058b4ac85ec20a6e013c1426fcdc80bda23f6b6ae01a9ecb091ebdea83b3

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect virtual machines (IN, VMware)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Startup

  • System is w10x64
  • 8888888.exe (PID: 4564 cmdline: 'C:\Users\user\Desktop\8888888.exe' MD5: 465E6DAE29DE0C62E3CBDD3E9B20D77B)
    • 8888888.exe (PID: 4860 cmdline: C:\Users\user\Desktop\8888888.exe /C MD5: 465E6DAE29DE0C62E3CBDD3E9B20D77B)
    • cxeijygq.exe (PID: 4300 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exe MD5: 465E6DAE29DE0C62E3CBDD3E9B20D77B)
      • cxeijygq.exe (PID: 4452 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exe /C MD5: 465E6DAE29DE0C62E3CBDD3E9B20D77B)
      • explorer.exe (PID: 760 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 499B0D1F6277F17B3BAC525B8717C064)
    • schtasks.exe (PID: 1464 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ftlxxqymzp /tr '\'C:\Users\user\Desktop\8888888.exe\' /I ftlxxqymzp' /SC ONCE /Z /ST 17:07 /ET 17:19 MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • 8888888.exe (PID: 4732 cmdline: C:\Users\user\Desktop\8888888.exe /I ftlxxqymzp MD5: 465E6DAE29DE0C62E3CBDD3E9B20D77B)
    • reg.exe (PID: 3848 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0' MD5: E3DACF0B31841FA02064B4457D44B357)
      • conhost.exe (PID: 2760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • reg.exe (PID: 2384 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2' MD5: E3DACF0B31841FA02064B4457D44B357)
      • conhost.exe (PID: 2412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • reg.exe (PID: 3260 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0' MD5: E3DACF0B31841FA02064B4457D44B357)
      • conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • reg.exe (PID: 3408 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2' MD5: E3DACF0B31841FA02064B4457D44B357)
      • conhost.exe (PID: 3008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • reg.exe (PID: 2520 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0' MD5: E3DACF0B31841FA02064B4457D44B357)
      • conhost.exe (PID: 1172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • reg.exe (PID: 4908 cmdline: C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2' MD5: E3DACF0B31841FA02064B4457D44B357)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: 8888888.exeJoe Sandbox ML: detected
Source: 3.0.cxeijygq.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 6.2.8888888.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 2.2.8888888.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 7.0.cxeijygq.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 3.2.cxeijygq.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 6.0.8888888.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 2.0.8888888.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 0.0.8888888.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 2.2.8888888.exe.640000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 0.2.8888888.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 6.2.8888888.exe.ee0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 3.2.cxeijygq.exe.20f0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 7.2.cxeijygq.exe.20f0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 7.2.cxeijygq.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
Source: 0.2.8888888.exe.2250000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 10.2.explorer.exe.a40000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen2

Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043BFC98 strncpy,strncmp,QueryPerformanceFrequency,QueryPerformanceCounter,CryptAcquireContextA,10_2_043BFC98

Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0040A2F9 NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,0_2_0040A2F9
Source: C:\Users\user\Desktop\8888888.exeCode function: 2_2_0040A2F9 NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,2_2_0040A2F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: 3_2_0040A2F9 NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,3_2_0040A2F9
Source: C:\Users\user\Desktop\8888888.exeCode function: 6_2_0040A2F9 NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,6_2_0040A2F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: 7_2_0040A2F9 NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,7_2_0040A2F9
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A4A2F9 NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,10_2_00A4A2F9
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043C6130 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,10_2_043C6130

Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043B9C37 _time64,_time64,select,__WSAFDIsSet,accept,closesocket,__WSAFDIsSet,closesocket,__WSAFDIsSet,recv,WSAGetLastError,closesocket,closesocket,__WSAFDIsSet,closesocket,closesocket,WSAGetLastError,10_2_043B9C37
Source: explorer.exe, 0000000A.00000002.969040992.00000000043B0000.00000040.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: explorer.exe, 0000000A.00000002.969040992.00000000043B0000.00000040.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 8888888.exe, 00000000.00000003.557499026.00000000022DB000.00000004.00000040.sdmp, 8888888.exe, 00000006.00000003.599123209.0000000001481000.00000004.00000001.sdmp, explorer.exeString found in binary or memory: http://www.ip-adress.com
Source: 8888888.exe, 00000000.00000003.557499026.00000000022DB000.00000004.00000040.sdmp, 8888888.exe, 00000006.00000003.599123209.0000000001481000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000002.969040992.00000000043B0000.00000040.00000001.sdmpString found in binary or memory: http://www.ip-adress.com?%04x.%uNULL??YESNO

Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,0_2_00401360
Source: C:\Users\user\Desktop\8888888.exeCode function: 2_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,2_2_00401360
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: 3_2_0040482C memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,3_2_0040482C
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: 3_2_00404484 NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,memcpy,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,NtClose,3_2_00404484
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: 3_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,3_2_00401360
Source: C:\Users\user\Desktop\8888888.exeCode function: 6_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,6_2_00401360
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: 7_2_00401360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,7_2_00401360
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A41360 PostQuitMessage,PostQuitMessage,PostQuitMessage,PostQuitMessage,NtdllDefWindowProc_A,10_2_00A41360
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A44484 NtCreateSection,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,memcpy,NtUnmapViewOfSection,GetCurrentProcess,NtUnmapViewOfSection,NtClose,10_2_00A44484
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A4482C memset,GetThreadContext,NtProtectVirtualMemory,NtWriteVirtualMemory,FreeLibrary,DeleteFileW,10_2_00A4482C
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00405047 GetLastError,EqualSid,memset,memset,CreateProcessAsUserW,CloseHandle,0_2_00405047
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00404C9E0_2_00404C9E
Source: C:\Users\user\Desktop\8888888.exeCode function: 2_2_00404C9E2_2_00404C9E
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: 3_2_00404C9E3_2_00404C9E
Source: C:\Users\user\Desktop\8888888.exeCode function: 6_2_00404C9E6_2_00404C9E
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: 7_2_00404C9E7_2_00404C9E
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A44C9E10_2_00A44C9E
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043C045D10_2_043C045D
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043BED3510_2_043BED35
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043CE52810_2_043CE528
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043CED4F10_2_043CED4F
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043BF63A10_2_043BF63A
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043C262710_2_043C2627
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043C9FB710_2_043C9FB7
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043C013810_2_043C0138
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043BF15210_2_043BF152
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043CA2B110_2_043CA2B1
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043C0B6810_2_043C0B68
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043CABA710_2_043CABA7
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043C93E910_2_043C93E9
Source: 8888888.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8888888.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cxeijygq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cxeijygq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8888888.exe, 00000000.00000000.542662648.00000000004A0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFGResDetector.exeJ vs 8888888.exe
Source: 8888888.exe, 00000002.00000002.555208048.00000000004A0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFGResDetector.exeJ vs 8888888.exe
Source: 8888888.exe, 00000006.00000000.585018754.00000000004A0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFGResDetector.exeJ vs 8888888.exe
Source: 8888888.exeBinary or memory string: OriginalFilenameFGResDetector.exeJ vs 8888888.exe
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: classification engineClassification label: mal100.evad.winEXE@30/4@0/0
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00404F99 CreateToolhelp32Snapshot,memset,Process32First,CloseHandle,Process32Next,FindCloseChangeNotification,0_2_00404F99
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00409A82 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,0_2_00409A82
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0040405B FindResourceA,SizeofResource,LoadResource,0_2_0040405B
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00401071 StartServiceCtrlDispatcherA,0_2_00401071
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00401071 StartServiceCtrlDispatcherA,0_2_00401071
Source: C:\Users\user\Desktop\8888888.exeCode function: 2_2_00401071 StartServiceCtrlDispatcherA,2_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: 3_2_00401071 StartServiceCtrlDispatcherA,3_2_00401071
Source: C:\Users\user\Desktop\8888888.exeCode function: 6_2_00401071 StartServiceCtrlDispatcherA,6_2_00401071
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: 7_2_00401071 StartServiceCtrlDispatcherA,7_2_00401071
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A41071 StartServiceCtrlDispatcherA,10_2_00A41071
Source: C:\Users\user\Desktop\8888888.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\GbdnseJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2412:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4196:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{BC91557A-A928-4D49-983A-74ABF8DBD460}
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2760:120:WilError_01
Source: C:\Users\user\Desktop\8888888.exeMutant created: \Sessions\1\BaseNamedObjects\ihhelx
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4528:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{7F2458B6-2E9A-4FF4-8481-9F49F2E6670C}
Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9595784F-DED5-4D11-812E-DB12736F9FB2}
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3008:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1172:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\~cxeijygq.tmpJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: 8888888.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\8888888.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\8888888.exeFile read: C:\Users\user\Desktop\8888888.exeJump to behavior
Source: C:\Users\user\Desktop\8888888.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-7718
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknownProcess created: C:\Users\user\Desktop\8888888.exe 'C:\Users\user\Desktop\8888888.exe'
Source: unknownProcess created: C:\Users\user\Desktop\8888888.exe C:\Users\user\Desktop\8888888.exe /C
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exe C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exe
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ftlxxqymzp /tr '\'C:\Users\user\Desktop\8888888.exe\' /I ftlxxqymzp' /SC ONCE /Z /ST 17:07 /ET 17:19
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\Desktop\8888888.exe C:\Users\user\Desktop\8888888.exe /I ftlxxqymzp
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exe C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exe /C
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'
Source: C:\Users\user\Desktop\8888888.exeProcess created: C:\Users\user\Desktop\8888888.exe C:\Users\user\Desktop\8888888.exe /CJump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exe C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeJump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ftlxxqymzp /tr '\'C:\Users\user\Desktop\8888888.exe\' /I ftlxxqymzp' /SC ONCE /Z /ST 17:07 /ET 17:19Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exe C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exe /CJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'Jump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'Jump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'Jump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'Jump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SpyNetReporting' /d '0'Jump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet' /f /t REG_DWORD /v 'SubmitSamplesConsent' /d '2'Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\8888888.exeUnpacked PE file: 0.2.8888888.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\8888888.exeUnpacked PE file: 2.2.8888888.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeUnpacked PE file: 3.2.cxeijygq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\8888888.exeUnpacked PE file: 6.2.8888888.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeUnpacked PE file: 7.2.cxeijygq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\8888888.exeUnpacked PE file: 0.2.8888888.exe.2250000.1.unpack
Source: C:\Users\user\Desktop\8888888.exeUnpacked PE file: 2.2.8888888.exe.640000.1.unpack
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\8888888.exeUnpacked PE file: 0.2.8888888.exe.400000.0.unpack
Source: C:\Users\user\Desktop\8888888.exeUnpacked PE file: 2.2.8888888.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeUnpacked PE file: 3.2.cxeijygq.exe.400000.0.unpack
Source: C:\Users\user\Desktop\8888888.exeUnpacked PE file: 6.2.8888888.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeUnpacked PE file: 7.2.cxeijygq.exe.400000.0.unpack
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0040599F GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0040599F
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0046B820 push 0046B620h; ret 0_2_0046C6DB
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0046B150 push 00000000h; mov dword ptr [esp], 0001B69Fh0_2_0046B184
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0044345F pushfd ; ret 0_2_00443461
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00441A13 pushfd ; iretd 0_2_00441A14
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0043C2CA push ecx; ret 0_2_0043C385
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00442AED push edi; ret 0_2_00442AEE
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_004448EF pushad ; ret 0_2_00444934
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_004444F1 push edi; iretd 0_2_00444596
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00442E99 push cs; iretd 0_2_00442F3E
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0043C2AD push ecx; ret 0_2_0043C385
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0043B0B6 push esp; iretd 0_2_0043B0B7
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00442EB2 push cs; iretd 0_2_00442F3E
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0043E308 push ebp; retf 0_2_0043E309
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0044211A pushfd ; retf 0_2_00442127
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0043AB2A push es; iretd 0_2_0043ABDB
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0043AFF7 pushfd ; ret 0_2_0043AFFB
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0046B380 push 0046B3DEh; ret 0_2_0046B3DD
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0043F797 push edx; ret 0_2_0043F7A5
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0044459C push edi; iretd 0_2_00444596
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_004403B3 pushfd ; iretd 0_2_004403B6
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_022465C0 push edx; ret 0_2_0224674E
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_02214A37 push edi; ret 0_2_02214A38
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_02215AB4 push dword ptr [ebx-1Ah]; ret 0_2_02215AC9
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_02216BE2 push 0000000Dh; iretd 0_2_02216BED
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_02217052 push esp; iretd 0_2_02217059
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_022171CC push esp; iretd 0_2_022171D1
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_02213F0E push 00000005h; ret 0_2_02213F38
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_02215433 push 00409CE1h; ret 0_2_02215444
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0221652E push esi; ret 0_2_02216534
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_02214D13 push FFFFFFE6h; retf 0_2_02214D15
Source: C:\Users\user\Desktop\8888888.exeCode function: 2_2_0046B820 push 0046B620h; ret 2_2_0046C6DB

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Users\user\Desktop\8888888.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\8888888.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\8888888.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ftlxxqymzp /tr '\'C:\Users\user\Desktop\8888888.exe\' /I ftlxxqymzp' /SC ONCE /Z /ST 17:07 /ET 17:19
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00401071 StartServiceCtrlDispatcherA,0_2_00401071

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeMemory written: PID: 760 base: C6F2F0 value: E9 BD 22 DD FF Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to compare user and computer (likely to detect sandboxes)Show sources
Source: C:\Users\user\Desktop\8888888.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,0_2_00403D22
Source: C:\Users\user\Desktop\8888888.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,2_2_00403D22
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,3_2_00403D22
Source: C:\Users\user\Desktop\8888888.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,6_2_00403D22
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,7_2_00403D22
Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,10_2_00A43D22
Contains functionality to detect virtual machines (IN, VMware)Show sources
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0040349A in eax, dx0_2_0040349A
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: cxeijygq.exe, 00000007.00000002.596353960.000000000246A000.00000004.00000040.sdmpBinary or memory string: FIDDLER.EXE;SAMP1E.EXE;SAMPLE.EXE;RUNSAMPLE.EXE;LORDPE.EXE;REGSHOT.EXE;AUTORUNS.EXE;DSNIFF.EXE;VBOXTRAY.EXE;HASHMYFILES.EXE;PROCESSHACKER.EXE;PROCMON.EXE;PROCMON64.EXE;NETMON.EXE;VMTOOLSD.EXE;VM3DSERVICE.EXE;VGAUTHSERVICE.EXE;PR0C3XP.EXE;PROCESSHACKER.EXE;CFF EXPLORER.EXE;DUMPCAP.EXE;WIRESHARK.EXE;IDAQ.EXE;IDAQ64.EXE;TPAUTOCONNECT.EXE;RESOURCEHACKER.EXE;VMACTHLP.EXE;OLLYDBG.EXE;WINDBG.EXE;BDS-VISION-AGENT-NAI.EXE;BDS-VISION-APIS.EXE;BDS-VISION-AGENT-APP.EXE;MULTIANALYSIS_V1.0.294.EXE;X32DBG.EXE;VBOXTRAY.EXE;VBOXSERVICE.EXE;TCPVIEW.EXE
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0040385E GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32First,StrStrIA,Process32Next,CloseHandle,0_2_0040385E
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0040352C SetupDiGetDeviceRegistryPropertyA,GetLastError,0_2_0040352C
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 904Jump to behavior
Source: C:\Users\user\Desktop\8888888.exeEvaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeEvasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\8888888.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\8888888.exeEvasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\8888888.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-8264
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\8888888.exe TID: 4936Thread sleep count: 68 > 30Jump to behavior
Source: C:\Users\user\Desktop\8888888.exe TID: 3772Thread sleep count: 68 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exe TID: 1164Thread sleep count: 67 > 30Jump to behavior
Source: C:\Users\user\Desktop\8888888.exe TID: 4756Thread sleep count: 68 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exe TID: 1684Thread sleep count: 68 > 30Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 4592Thread sleep time: -27120000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 4592Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043C6130 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,FindClose,10_2_043C6130
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_004055DD memset,GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,GetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,0_2_004055DD
Source: cxeijygq.exe, 00000007.00000002.596353960.000000000246A000.00000004.00000040.sdmpBinary or memory string: Fiddler.exe;samp1e.exe;sample.exe;runsample.exe;lordpe.exe;regshot.exe;Autoruns.exe;dsniff.exe;VBoxTray.exe;HashMyFiles.exe;ProcessHacker.exe;Procmon.exe;Procmon64.exe;netmon.exe;vmtoolsd.exe;vm3dservice.exe;VGAuthService.exe;pr0c3xp.exe;ProcessHacker.exe;CFF Explorer.exe;dumpcap.exe;Wireshark.exe;idaq.exe;idaq64.exe;TPAutoConnect.exe;ResourceHacker.exe;vmacthlp.exe;OLLYDBG.EXE;windbg.exe;bds-vision-agent-nai.exe;bds-vision-apis.exe;bds-vision-agent-app.exe;MultiAnalysis_v1.0.294.exe;x32dbg.exe;VBoxTray.exe;VBoxService.exe;Tcpview.exe
Source: reg.exe, 00000008.00000002.597077995.0000015006160000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.601627238.0000015BABF00000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.608077744.00000172BA970000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.610594749.000001D851120000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.615528427.0000012674FE0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: reg.exe, 00000008.00000002.597077995.0000015006160000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.601627238.0000015BABF00000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.608077744.00000172BA970000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.610594749.000001D851120000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.615528427.0000012674FE0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: reg.exe, 00000008.00000002.597077995.0000015006160000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.601627238.0000015BABF00000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.608077744.00000172BA970000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.610594749.000001D851120000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.615528427.0000012674FE0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000A.00000002.967610016.0000000000087000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: reg.exe, 00000008.00000002.597077995.0000015006160000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.601627238.0000015BABF00000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.608077744.00000172BA970000.00000002.00000001.sdmp, reg.exe, 0000000F.00000002.610594749.000001D851120000.00000002.00000001.sdmp, reg.exe, 00000011.00000002.615528427.0000012674FE0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\8888888.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\explorer.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\8888888.exeProcess information queried: ProcessInformationJump to behavior

Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00A464A2 LdrInitializeThunk,10_2_00A464A2
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0040385E GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32First,StrStrIA,Process32Next,CloseHandle,0_2_0040385E
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0040599F GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0040599F
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043BD4E6 GetProcessHeap,HeapReAlloc,10_2_043BD4E6
Source: C:\Users\user\Desktop\8888888.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeMemory written: PID: 760 base: C6F2F0 value: E9Jump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: C6F2F0Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exeCode function: OpenProcessToken,CloseHandle,FindCloseChangeNotification, C:\Windows\SysWOW64\explorer.exe10_2_043C7329
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00401A28 EntryPoint,GetCommandLineW,CommandLineToArgvW,HeapCreate,GetModuleHandleA,lstrcmpiW,CoInitializeEx,GetForegroundWindow,ShellExecuteW,Sleep,CopyFileW,ExitProcess,0_2_00401A28
Source: C:\Users\user\AppData\Roaming\Microsoft\Gbdnse\cxeijygq.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00407B83 AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,LocalFree,LocalFree,FreeSid,FreeSid,0_2_00407B83
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_004079E5 GetModuleFileNameW,AllocateAndInitializeSid,EqualSid,FreeSid,FindCloseChangeNotification,0_2_004079E5

Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0040336E cpuid 0_2_0040336E
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0040352C SetupDiGetDeviceRegistryPropertyA,GetLastError,0_2_0040352C
Source: C:\Users\user\Desktop\8888888.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\8888888.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043B513B CreateNamedPipeA,10_2_043B513B
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_00408F6D memset,GetLocalTime,memset,GetLocalTime,lstrcpynW,lstrcatW,DeleteFileW,0_2_00408F6D
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_0040A2F9 NetUserEnum,LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,0_2_0040A2F9
Source: C:\Users\user\Desktop\8888888.exeCode function: 0_2_004055DD memset,GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW,GetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,0_2_004055DD
Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043BA931 socket,memset,inet_addr,GetBestRoute,GetIpAddrTable,GetIpAddrTable,memset,setsockopt,setsockopt,bind,closesocket,LdrInitializeThunk,memset,getaddrinfo,sendto,freeaddrinfo,memcmp,memcmp,memcmp,memcpy,memcpy,closesocket,10_2_043BA931
Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_043C2340 socket,ioctlsocket,WSAGetLastError,htons,setsockopt,bind,listen,closesocket,10_2_043C2340

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Execution through API41Hooking1Exploitation for Privilege Escalation1Software Packing31Hooking1System Time Discovery1Remote File Copy1Data from Local SystemData Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaCommand-Line Interface12Valid Accounts1Hooking1Disabling Security Tools1Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesService Execution2Scheduled Task1Valid Accounts1Obfuscated Files or Information1Input CaptureSecurity Software Discovery221Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled Task1Modify Existing Service1Access Token Manipulation1Masquerading1Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceNew Service3Process Injection322Valid Accounts1Account ManipulationSystem Information Discovery35Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceScheduled Task1Modify Registry1Brute ForceNetwork Share Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionNew Service3Virtualization/Sandbox Evasion11Two-Factor Authentication InterceptionQuery Registry1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection322Input PromptProcess Discovery2Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainApplication Window Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysSystem Owner/User Discovery1Replication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 233907 Sample: 8888888.exe Startdate: 28/05/2020 Architecture: WINDOWS Score: 100 49 Machine Learning detection for sample 2->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 2->53 7 8888888.exe 4 2->7         started        11 8888888.exe 2->11         started        process3 file4 45 C:\Users\user\AppData\...\cxeijygq.exe, PE32 7->45 dropped 47 C:\Users\...\cxeijygq.exe:Zone.Identifier, ASCII 7->47 dropped 55 Detected unpacking (changes PE section rights) 7->55 57 Detected unpacking (creates a PE file in dynamic memory) 7->57 59 Detected unpacking (overwrites its own PE header) 7->59 63 2 other signatures 7->63 13 cxeijygq.exe 7->13         started        16 schtasks.exe 1 7->16         started        18 8888888.exe 7->18         started        61 Uses cmd line tools excessively to alter registry or file data 11->61 20 reg.exe 1 1 11->20         started        22 reg.exe 1 1 11->22         started        24 reg.exe 1 1 11->24         started        26 3 other processes 11->26 signatures5 process6 signatures7 67 Detected unpacking (changes PE section rights) 13->67 69 Detected unpacking (overwrites its own PE header) 13->69 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->71 73 5 other signatures 13->73 28 explorer.exe 1 13->28         started        31 cxeijygq.exe 13->31         started        33 conhost.exe 16->33         started        35 conhost.exe 20->35         started        37 conhost.exe 22->37         started        39 conhost.exe 24->39         started        41 conhost.exe