Loading ...

Play interactive tourEdit tour

Analysis Report jvnfring.msi

Overview

General Information

Sample Name:jvnfring.msi
MD5:9dc595745b7f64aab36db980651e9734
SHA1:23b77cc0f6db594bcb825b3d7893b7c94d7aefc0
SHA256:98238dda51c0fe9b75939b5c2e287e0ad6e6005a8817477b0e82fb20df0401d2

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Modifies the context of a thread in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

Startup

  • System is w7
  • msiexec.exe (PID: 3780 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\jvnfring.msi' MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
  • MSI1E7.tmp (PID: 2132 cmdline: C:\Windows\Installer\MSI1E7.tmp MD5: DC8B79E88E16A86E79BD4B215080145A)
    • MSI1E7.tmp (PID: 2120 cmdline: C:\Windows\Installer\MSI1E7.tmp MD5: DC8B79E88E16A86E79BD4B215080145A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1115573707.00150000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: MSI1E7.tmp PID: 2120JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: jvnfring.msiVirustotal: Detection: 11%Perma Link
      Source: jvnfring.msiReversingLabs: Detection: 29%

      Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmpFile opened: c:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_00152D41 InternetReadFile,5_2_00152D41
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/t
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmp, MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1c5N7wkZinjJr8h64p6CvGSneCjuKE5tX
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1c5N7wkZinjJr8h64p6CvGSneCjuKE5tX:J
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1c5N7wkZinjJr8h64p6CvGSneCjuKE5tXA
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1c5N7wkZinjJr8h64p6CvGSneCjuKE5tXU
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1c5N7wkZinjJr8h64p6CvGSneCjuKE5tXY
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1c5N7wkZinjJr8h64p6CvGSneCjuKE5tXYr
      Source: MSI1E7.tmp, 00000005.00000002.1115814493.002F3000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
      Source: MSI1E7.tmp, 00000005.00000002.1116116129.00356000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0

      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D2D41 NtResumeThread,4_2_002D2D41
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D0EFB NtWriteVirtualMemory,4_2_002D0EFB
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D28F5 NtProtectVirtualMemory,4_2_002D28F5
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D1105 NtWriteVirtualMemory,4_2_002D1105
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D2D12 NtResumeThread,4_2_002D2D12
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D0161 EnumWindows,NtSetInformationThread,TerminateProcess,4_2_002D0161
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D2D49 NtResumeThread,4_2_002D2D49
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D295B NtProtectVirtualMemory,4_2_002D295B
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D0ECE NtWriteVirtualMemory,4_2_002D0ECE
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_001528F5 NtProtectVirtualMemory,5_2_001528F5
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_0015295B NtProtectVirtualMemory,5_2_0015295B
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_00150161 EnumWindows,NtSetInformationThread,5_2_00150161
      Source: jvnfring.msiBinary or memory string: OriginalFilenameJVNFRING.exe vs jvnfring.msi
      Source: classification engineClassification label: mal76.troj.evad.winMSI@4/1@0/0
      Source: C:\Windows\Installer\MSI1E7.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\YE6QQA4P.txtJump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmpFile created: C:\Users\user\AppData\Local\Temp\~DF6155C58E76C59E83.TMPJump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmpSection loaded: C:\Windows\System32\msvbvm60.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmpFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmpFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: jvnfring.msiVirustotal: Detection: 11%
      Source: jvnfring.msiReversingLabs: Detection: 29%
      Source: unknownProcess created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\jvnfring.msi'
      Source: unknownProcess created: C:\Windows\Installer\MSI1E7.tmp C:\Windows\Installer\MSI1E7.tmp
      Source: unknownProcess created: C:\Windows\Installer\MSI1E7.tmp C:\Windows\Installer\MSI1E7.tmp
      Source: C:\Windows\Installer\MSI1E7.tmpProcess created: C:\Windows\Installer\MSI1E7.tmp C:\Windows\Installer\MSI1E7.tmpJump to behavior
      Source: C:\Windows\System32\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000005.00000002.1115573707.00150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: MSI1E7.tmp PID: 2120, type: MEMORY

      Source: C:\Windows\Installer\MSI1E7.tmpRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D2440 4_2_002D2440
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_00152440 5_2_00152440
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Windows\Installer\MSI1E7.tmpRDTSC instruction interceptor: First address: 002D2443 second address: 002D2467 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 nop 0x00000006 shl edx, 20h 0x00000009 fnop 0x0000000b or edx, eax 0x0000000d mov esi, edx 0x0000000f nop 0x00000010 pushad 0x00000011 fnop 0x00000013 mov eax, 00000001h 0x00000018 cpuid 0x0000001a bt ecx, 1Fh 0x0000001e jc 00007F7C789E7192h 0x00000020 popad 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Windows\Installer\MSI1E7.tmpRDTSC instruction interceptor: First address: 002D2467 second address: 002D2443 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F7C789E8B8Ah 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F7C789E8BB3h 0x0000001b push ecx 0x0000001c call 00007F7C789E8BDFh 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Windows\Installer\MSI1E7.tmpRDTSC instruction interceptor: First address: 00152443 second address: 00152467 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 nop 0x00000006 shl edx, 20h 0x00000009 fnop 0x0000000b or edx, eax 0x0000000d mov esi, edx 0x0000000f nop 0x00000010 pushad 0x00000011 fnop 0x00000013 mov eax, 00000001h 0x00000018 cpuid 0x0000001a bt ecx, 1Fh 0x0000001e jc 00007F7C789E7192h 0x00000020 popad 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Windows\Installer\MSI1E7.tmpRDTSC instruction interceptor: First address: 00152467 second address: 00152443 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F7C789E8B8Ah 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F7C789E8BB3h 0x0000001b push ecx 0x0000001c call 00007F7C789E8BDFh 0x00000021 lfence 0x00000024 rdtsc
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D2440 rdtsc 4_2_002D2440
      Source: C:\Windows\System32\msiexec.exe TID: 3812Thread sleep time: -120000s >= -30000sJump to behavior
      Source: C:\Windows\System32\msiexec.exe TID: 2160Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmp TID: 2212Thread sleep count: 323 > 30Jump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmp TID: 2212Thread sleep time: -19380000s >= -30000sJump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmp TID: 2080Thread sleep time: -250000s >= -30000sJump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmp TID: 2212Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: MSI1E7.tmpBinary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
      Source: MSI1E7.tmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D0161 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000004_2_002D0161
      Hides threads from debuggersShow sources
      Source: C:\Windows\Installer\MSI1E7.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmpThread information set: HideFromDebuggerJump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D2440 rdtsc 4_2_002D2440
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D0B3D mov eax, dword ptr fs:[00000030h]4_2_002D0B3D
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D217A mov eax, dword ptr fs:[00000030h]4_2_002D217A
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D0C5F mov eax, dword ptr fs:[00000030h]4_2_002D0C5F
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D26A6 mov eax, dword ptr fs:[00000030h]4_2_002D26A6
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D2380 mov eax, dword ptr fs:[00000030h]4_2_002D2380
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D0882 mov eax, dword ptr fs:[00000030h]4_2_002D0882
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 4_2_002D12FF mov eax, dword ptr fs:[00000030h]4_2_002D12FF
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_00150B3D mov eax, dword ptr fs:[00000030h]5_2_00150B3D
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_00150C5F mov eax, dword ptr fs:[00000030h]5_2_00150C5F
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_0015217A mov eax, dword ptr fs:[00000030h]5_2_0015217A
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_00152380 mov eax, dword ptr fs:[00000030h]5_2_00152380
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_00150882 mov eax, dword ptr fs:[00000030h]5_2_00150882
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_001526A6 mov eax, dword ptr fs:[00000030h]5_2_001526A6
      Source: C:\Windows\Installer\MSI1E7.tmpCode function: 5_2_001512FF mov eax, dword ptr fs:[00000030h]5_2_001512FF

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Windows\Installer\MSI1E7.tmpThread register set: target process: 2120Jump to behavior
      Source: C:\Windows\Installer\MSI1E7.tmpProcess created: C:\Windows\Installer\MSI1E7.tmp C:\Windows\Installer\MSI1E7.tmpJump to behavior
      Source: MSI1E7.tmp, 00000005.00000002.1116495920.007F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: MSI1E7.tmp, 00000005.00000002.1116495920.007F0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: MSI1E7.tmp, 00000005.00000002.1116495920.007F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

      Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Replication Through Removable Media1Graphical User Interface1Winlogon Helper DLLProcess Injection112Masquerading1Credential DumpingQuery Registry1Replication Through Removable Media1Data from Local SystemData CompressedRemote File Copy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion11Network SniffingVirtualization/Sandbox Evasion11Remote File Copy1Data from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection112Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesPeripheral Device Discovery11Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
      Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSecurity Software Discovery411Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Information Discovery213Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
      Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.