Loading ...

Play interactive tourEdit tour

Analysis Report http://sufacturaciondigital.com/

Overview

General Information

Sample URL:http://sufacturaciondigital.com/

Most interesting Screenshot:

Detection

Phisher
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Phisher
Binary contains a suspicious time stamp
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
AV process strings found (often used to terminate AV products)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
PE file does not import any functions
Potential browser exploit detected (process start blacklist hit)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 5372 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4092 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5372 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • unarchiver.exe (PID: 5172 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\EDP-Fact26062020.zip' MD5: 8B435F8731563566F3F49203BA277865)
      • 7za.exe (PID: 5944 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\EDP-Fact26062020.zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5100 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • EDP-Cobros-26062020.exe (PID: 4260 cmdline: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exe MD5: CF559DA315051F42239274339FAD51B1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\W41LJ0R6.htmJoeSecurity_Phisher_1Yara detected PhisherJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Yara detected PhisherShow sources
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\W41LJ0R6.htm, type: DROPPED

    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\unarchiver.exeJump to behavior

    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Jun 2020 07:28:15 GMTServer: ApacheX-Powered-By: PHP/7.3.17Upgrade: h2,h2cConnection: Upgrade, Keep-AliveVary: Accept-Encoding,User-AgentContent-Encoding: gzipContent-Length: 130Keep-Alive: timeout=5Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b3 c9 4d 2d 49 54 f0 08 09 09 d0 75 0d 0c f5 0c b3 55 0f 4a 4d 2b 4a 2d ce 50 57 70 f6 f7 0b 71 f5 0b b1 55 37 b0 0e 0d f2 b1 cd 28 29 29 28 b6 d2 d7 2f 2f 2f d7 cb 4d 4d c9 4c 4c cb 2c 4a d5 4b ce cf d5 4f cb cc 49 d5 37 2e 32 c9 4f 29 c8 32 cf 2a cd 36 02 1a a0 ef ea 12 a0 eb 96 98 5c 62 64 66 60 66 64 60 64 a0 57 95 59 a0 6e 07 00 6b 37 09 8b 6f 00 00 00 Data Ascii: M-ITuUJM+J-PWpqU7())(///MMLL,JKOI7.2O)2*6\bdf`fd`dWYnk7o
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: sufacturaciondigital.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sufacturaciondigital.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1User-Agent: AutoItHost: sufacturaciondigital.com
    Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdde5e52e,0x01d64bd6</date><accdate>0xdde5e52e,0x01d64bd6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xdde5e52e,0x01d64bd6</date><accdate>0xdde5e52e,0x01d64bd6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xddead016,0x01d64bd6</date><accdate>0xddead016,0x01d64bd6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xddead016,0x01d64bd6</date><accdate>0xddead016,0x01d64bd6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xdded4540,0x01d64bd6</date><accdate>0xdded4540,0x01d64bd6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xdded4540,0x01d64bd6</date><accdate>0xdded4540,0x01d64bd6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: unknownDNS traffic detected: queries for: sufacturaciondigital.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jun 2020 07:28:17 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
    Source: unarchiver.exe, ~DF83E01032596ECC33.TMP.1.drString found in binary or memory: http://sufacturaciondigital.com/
    Source: {07BEE131-B7CA-11EA-AADE-C25F135D3C65}.dat.1.drString found in binary or memory: http://sufacturaciondigital.com/Root
    Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
    Source: EDP-Cobros-26062020.exe.5.drString found in binary or memory: http://www.componentace.com
    Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
    Source: EDP-Cobros-26062020.exe, EDP-Cobros-26062020.exe.5.drString found in binary or memory: http://www.indyproject.org/
    Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
    Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
    Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
    Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
    Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
    Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
    Source: W41LJ0R6.htm.2.drString found in binary or memory: https://www.mediafire.com/file/3r4odpj7juk2fre/EDP-Fact26062020.zip
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

    Source: unarchiver.exeBinary or memory string: "<HOOK MODULE='DDRAW.DLL' FUNCTION='DirectDrawCreateEx'/>"

    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Number of sections : 11 > 10
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
    Source: ~~.5.drStatic PE information: No import functions for PE file found
    Source: classification engineClassification label: mal60.phis.evad.win@13/23@4/3
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_01
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeMutant created: \Sessions\1\BaseNamedObjects\socaeshupa
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_01
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFFF25192D4C4F69D1.TMPJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 7za.exeString found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0
    Source: EDP-Cobros-26062020.exeString found in binary or memory: NATS-SEFI-ADD
    Source: EDP-Cobros-26062020.exeString found in binary or memory: NATS-DANO-ADD
    Source: EDP-Cobros-26062020.exeString found in binary or memory: JIS_C6229-1984-b-add
    Source: EDP-Cobros-26062020.exeString found in binary or memory: jp-ocr-b-add
    Source: EDP-Cobros-26062020.exeString found in binary or memory: JIS_C6229-1984-hand-add
    Source: EDP-Cobros-26062020.exeString found in binary or memory: jp-ocr-hand-add
    Source: EDP-Cobros-26062020.exeString found in binary or memory: ISO_6937-2-add
    Source: unarchiver.exeString found in binary or memory: -install
    Source: EDP-Cobros-26062020.exeString found in binary or memory: "The device has succeeded a query-stop and its resource requirements have changed."
    Source: EDP-Cobros-26062020.exeString found in binary or memory: "The components threading model has changed after install into a COM+ Application. Please re-install component."
    Source: EDP-Cobros-26062020.exeString found in binary or memory: "The device's co-installer has additional work to perform after installation is complete."
    Source: EDP-Cobros-26062020.exeString found in binary or memory: "The device's co-installer is invalid."
    Source: EDP-Cobros-26062020.exeString found in binary or memory: "BitLocker Drive Encryption can only be used for limited provisioning or recovery purposes when the computer is running in pre-installation or recovery environments."
    Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
    Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5372 CREDAT:17410 /prefetch:2
    Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\EDP-Fact26062020.zip'
    Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\EDP-Fact26062020.zip'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exe'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exe C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exe
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5372 CREDAT:17410 /prefetch:2Jump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\EDP-Fact26062020.zip'Jump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\EDP-Fact26062020.zip'Jump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exe'Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exe C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CACAF262-9370-4615-A13B-9F5539DA4C0A}\InProcServer32Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeWindow found: window name: TButtonJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
    Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: ~~.5.dr

    Data Obfuscation:

    barindex
    Binary contains a suspicious time stampShow sources
    Source: initial sampleStatic PE information: 0x6AB99023 [Sun Sep 27 21:52:35 2026 UTC]
    Source: EDP-Cobros-26062020.exe.5.drStatic PE information: section name: .didata

    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\~~Jump to dropped file
    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeJump to dropped file
    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\~~Jump to dropped file

    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: EDP-Cobros-26062020.exeBinary or memory string: PROCMON.EXE
    Source: EDP-Cobros-26062020.exeBinary or memory string: REGMON.EXE
    Source: EDP-Cobros-26062020.exeBinary or memory string: WIRESHARK.EXE
    Source: EDP-Cobros-26062020.exeBinary or memory string: FILEMON.EXE
    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\~~Jump to dropped file
    Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3468Thread sleep count: 179 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3468Thread sleep time: -89500s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000409Jump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
    Source: EDP-Cobros-26062020.exeBinary or memory string: "The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported."
    Source: EDP-Cobros-26062020.exeBinary or memory string: "A Virtual Machine could not be started because Hyper-V is not installed."
    Source: EDP-Cobros-26062020.exeBinary or memory string: "An unknown internal message was received by the Hyper-V Compute Service."
    Source: EDP-Cobros-26062020.exeBinary or memory string: "A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service."
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging:

    barindex
    Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeOpen window title or class name: tcpviewclass
    Source: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeOpen window title or class name: procexpl
    Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior

    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\EDP-Fact26062020.zip'Jump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exe'Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exe C:\Users\user\AppData\Local\Temp\cilmpwvb.mqf\EDP-Cobros-26062020.exeJump to behavior
    Source: unarchiver.exeBinary or memory string: Shell_TrayWnd
    Source: unarchiver.exeBinary or memory string: Progman
    Source: unarchiver.exeBinary or memory string: "Program Manager"

    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Source: EDP-Cobros-26062020.exeBinary or memory string: procmon.exe
    Source: EDP-Cobros-26062020.exeBinary or memory string: Wireshark.exe
    Source: EDP-Cobros-26062020.exeBinary or memory string: regmon.exe

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsCommand-Line Interface2Winlogon Helper DLLProcess Injection12Masquerading11Input Capture1Virtualization/Sandbox Evasion11Remote File Copy4Input Capture1Data CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion11Input CaptureSecurity Software Discovery211Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingTimestomp1Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol5SIM Card SwapPremium SMS Toll Fraud
    Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection12Account ManipulationSystem Information Discovery22Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet