Loading ...

Play interactive tourEdit tour

Analysis Report sample.exe

Overview

General Information

Sample Name:sample.exe
Analysis ID:251405
MD5:5284f2578d687d4d88531880acf873c6
SHA1:75e7e3886aa34c8ab2897292e52496f1562c88a9
SHA256:07d07bdc1fb28af5b2e774a65bf6848d545c440f9b2caacc5105f4afc091e924

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Found large amount of non-executed APIs
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • sample.exe (PID: 2384 cmdline: 'C:\Users\user\Desktop\sample.exe' MD5: 5284F2578D687D4D88531880ACF873C6)
    • sample.exe (PID: 3636 cmdline: 'C:\Users\user\Desktop\sample.exe' MD5: 5284F2578D687D4D88531880ACF873C6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.898330879.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000000.00000002.537586560.0000000000540000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: sample.exe PID: 3636JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus detection for URL or domainShow sources
        Source: https://vinival.me/origbindedwithbtcvfour.exeAvira URL Cloud: Label: malware
        Source: https://long.af/tozawxAvira URL Cloud: Label: malware
        Multi AV Scanner detection for domain / URLShow sources
        Source: https://vinival.me/origbindedwithbtcvfour.exeVirustotal: Detection: 12%Perma Link
        Source: https://long.af/tozawxVirustotal: Detection: 12%Perma Link
        Source: https://vinival.me/Virustotal: Detection: 7%Perma Link
        Multi AV Scanner detection for submitted fileShow sources
        Source: sample.exeVirustotal: Detection: 70%Perma Link
        Source: sample.exeReversingLabs: Detection: 80%
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownDNS traffic detected: queries for: long.af
        Source: sample.exe, 00000002.00000002.898754601.0000000000987000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
        Source: sample.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
        Source: sample.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: sample.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
        Source: sample.exe, 00000002.00000002.898754601.0000000000987000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
        Source: sample.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
        Source: sample.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: sample.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
        Source: sample.exe, 00000002.00000002.898754601.0000000000987000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
        Source: sample.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
        Source: sample.exe, 00000002.00000002.898754601.0000000000987000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
        Source: sample.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
        Source: sample.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
        Source: sample.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: sample.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
        Source: sample.exe, 00000002.00000002.898754601.0000000000987000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: sample.exe, 00000002.00000002.898754601.0000000000987000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: sample.exeString found in binary or memory: http://ocsp.digicert.com0A
        Source: sample.exeString found in binary or memory: http://ocsp.digicert.com0C
        Source: sample.exeString found in binary or memory: http://ocsp.digicert.com0N
        Source: sample.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
        Source: sample.exe, 00000002.00000003.628357582.00000000009ED000.00000004.00000001.sdmpString found in binary or memory: https://long.af/
        Source: sample.exe, 00000002.00000003.628357582.00000000009ED000.00000004.00000001.sdmpString found in binary or memory: https://long.af//
        Source: sample.exe, 00000002.00000002.898740704.0000000000980000.00000004.00000020.sdmpString found in binary or memory: https://long.af/;6
        Source: sample.exe, 00000002.00000003.628357582.00000000009ED000.00000004.00000001.sdmpString found in binary or memory: https://long.af/e
        Source: sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://long.af/m
        Source: sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://long.af/ong.af/ozawx
        Source: sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://long.af/ong.af/stem32
        Source: sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://long.af/ong.af/tozawx
        Source: sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://long.af/ong.af/wxrI
        Source: sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://long.af/ozawx
        Source: sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://long.af/ozawxtography
        Source: sample.exe, 00000002.00000003.628393857.0000000000A07000.00000004.00000001.sdmpString found in binary or memory: https://long.af/tozawx
        Source: sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://long.af/tozawxgK
        Source: sample.exe, 00000002.00000003.628357582.00000000009ED000.00000004.00000001.sdmpString found in binary or memory: https://long.af/tozawxn0Bb
        Source: sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://long.af/tozawxuK
        Source: sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://long.af/tozawx~K
        Source: sample.exeString found in binary or memory: https://mozilla.org0
        Source: sample.exe, 00000002.00000002.898330879.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=72EF66C14DF86B76&resid=72EF66C14DF86B76%21190&authkey=AJ-3yQm
        Source: sample.exe, 00000002.00000003.628334619.00000000009D5000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
        Source: sample.exe, 00000002.00000002.898886775.00000000009D5000.00000004.00000020.sdmp, sample.exe, 00000002.00000003.628357582.00000000009ED000.00000004.00000001.sdmpString found in binary or memory: https://vinival.me/
        Source: sample.exe, 00000002.00000003.628334619.00000000009D5000.00000004.00000001.sdmpString found in binary or memory: https://vinival.me/5
        Source: sample.exe, 00000002.00000003.628357582.00000000009ED000.00000004.00000001.sdmpString found in binary or memory: https://vinival.me/l1Ab
        Source: sample.exe, 00000002.00000002.898886775.00000000009D5000.00000004.00000020.sdmp, sample.exe, 00000002.00000003.628357582.00000000009ED000.00000004.00000001.sdmp, sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://vinival.me/origbindedwithbtcvfour.exe
        Source: sample.exe, 00000002.00000002.898843941.00000000009BB000.00000004.00000020.sdmpString found in binary or memory: https://vinival.me/origbindedwithbtcvfour.exet
        Source: sample.exe, 00000002.00000002.898989612.0000000000A0C000.00000004.00000020.sdmpString found in binary or memory: https://vinival.me/origbindedwithbtcvfour.exevinival.mevinivalme
        Source: sample.exeString found in binary or memory: https://www.digicert.com/CPS0
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443

        System Summary:

        barindex
        Potential malicious icon foundShow sources
        Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_005604CB EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,2_2_005604CB
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056A4EE NtProtectVirtualMemory,2_2_0056A4EE
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560675 NtSetInformationThread,2_2_00560675
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560671 NtSetInformationThread,2_2_00560671
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056067D NtSetInformationThread,2_2_0056067D
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560679 NtSetInformationThread,2_2_00560679
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560A65 NtProtectVirtualMemory,2_2_00560A65
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560B01 NtProtectVirtualMemory,2_2_00560B01
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560535 NtSetInformationThread,2_2_00560535
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560531 NtSetInformationThread,2_2_00560531
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056053D NtSetInformationThread,2_2_0056053D
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560539 NtSetInformationThread,2_2_00560539
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560AD5 NtProtectVirtualMemory,2_2_00560AD5
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560ADD NtProtectVirtualMemory,2_2_00560ADD
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560695 NtSetInformationThread,2_2_00560695
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560691 NtSetInformationThread,2_2_00560691
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056069D NtSetInformationThread,2_2_0056069D
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560699 NtSetInformationThread,2_2_00560699
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560685 NtSetInformationThread,2_2_00560685
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560681 NtSetInformationThread,2_2_00560681
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056068D NtSetInformationThread,2_2_0056068D
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00560689 NtSetInformationThread,2_2_00560689
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_005606A1 NtSetInformationThread,2_2_005606A1
        Source: sample.exeStatic PE information: invalid certificate
        Source: sample.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: sample.exe, 00000000.00000002.537231931.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUdmugn.exe vs sample.exe
        Source: sample.exe, 00000002.00000002.904598822.000000001EE40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs sample.exe
        Source: sample.exe, 00000002.00000000.527553317.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUdmugn.exe vs sample.exe
        Source: sample.exe, 00000002.00000002.904559707.000000001ECF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs sample.exe
        Source: sample.exeBinary or memory string: OriginalFilenameUdmugn.exe vs sample.exe
        Source: classification engineClassification label: mal96.rans.troj.evad.winEXE@3/0@83/1
        Source: C:\Users\user\Desktop\sample.exeFile created: C:\Users\user\AppData\Local\Temp\IODOJump to behavior
        Source: sample.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\sample.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\sample.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\sample.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\sample.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\sample.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\sample.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: sample.exeVirustotal: Detection: 70%
        Source: sample.exeReversingLabs: Detection: 80%
        Source: unknownProcess created: C:\Users\user\Desktop\sample.exe 'C:\Users\user\Desktop\sample.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\sample.exe 'C:\Users\user\Desktop\sample.exe'
        Source: C:\Users\user\Desktop\sample.exeProcess created: C:\Users\user\Desktop\sample.exe 'C:\Users\user\Desktop\sample.exe' Jump to behavior
        Source: C:\Users\user\Desktop\sample.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000002.00000002.898330879.0000000000560000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.537586560.0000000000540000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: sample.exe PID: 3636, type: MEMORY
        Source: sample.exeStatic PE information: real checksum: 0x559de should be: 0x2910a
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00410C08 push dword ptr [ebx+30B3CB2Fh]; retf 0_2_00410C12
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0040781F push es; ret 0_2_00407820
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00410C27 push dword ptr [ebp+34B5CC36h]; retf 0_2_00410C45
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00407029 push es; ret 0_2_00407030
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0040D8E2 push eax; ret 0_2_0040D8E3
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_004108A8 push dword ptr [ebx+30B3CB2Fh]; retf 0_2_004108B2
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00411D66 push dword ptr [ebx+33B4CB30h]; retf 0_2_00411D6E
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00404D02 push es; ret 0_2_00404D08
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00403D08 push es; ret 0_2_00403D0C
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0040752C push es; ret 0_2_0040754C
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00411DDF pushad ; retf 0_2_00411DE0
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_00406A7E push ebx; ret 0_2_00406A7F
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_004052C8 push es; ret 0_2_004052CC
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_004106FB push dword ptr [ebp+37FFCD36h]; retf 0_2_0041070E
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0040EA97 push es; ret 0_2_0040EA98
        Source: C:\Users\user\Desktop\sample.exeCode function: 0_2_0040B6A4 push C562AAF1h; ret 0_2_0040B6A9

        Boot Survival:

        barindex
        Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
        Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvar C:\Users\user\AppData\Local\Temp\IODO\deckelsr.vbsJump to behavior
        Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvar C:\Users\user\AppData\Local\Temp\IODO\deckelsr.vbsJump to behavior
        Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvarJump to behavior
        Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvarJump to behavior
        Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvarJump to behavior
        Source: C:\Users\user\Desktop\sample.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce mangelvarJump to behavior
        Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\sample.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
        Source: C:\Users\user\Desktop\sample.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_2-4525
        Source: C:\Users\user\Desktop\sample.exeAPI coverage: 8.8 %
        Source: C:\Users\user\Desktop\sample.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\sample.exeLast function: Thread delayed
        Source: sample.exe, 00000002.00000002.898796230.000000000099D000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWX
        Source: sample.exe, 00000002.00000002.898886775.00000000009D5000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_005604CB NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000002_2_005604CB
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\sample.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\sample.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00565BCD LdrInitializeThunk,2_2_00565BCD
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00561D57 mov eax, dword ptr fs:[00000030h]2_2_00561D57
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_0056844D mov eax, dword ptr fs:[00000030h]2_2_0056844D
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00564304 mov eax, dword ptr fs:[00000030h]2_2_00564304
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00569AD6 mov eax, dword ptr fs:[00000030h]2_2_00569AD6
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00562BF5 mov eax, dword ptr fs:[00000030h]2_2_00562BF5
        Source: C:\Users\user\Desktop\sample.exeCode function: 2_2_00568CB1 mov eax, dword ptr fs:[00000030h]2_2_00568CB1
        Source: C:\Users\user\Desktop\sample.exeProcess created: C:\Users\user\Desktop\sample.exe 'C:\Users\user\Desktop\sample.exe' Jump to behavior
        Source: sample.exe, 00000002.00000002.899067050.0000000000E10000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: sample.exe, 00000002.00000002.899067050.0000000000E10000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: sample.exe, 00000002.00000002.899067050.0000000000E10000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: sample.exe, 00000002.00000002.899067050.0000000000E10000.00000002.00000001.sdmpBinary or memory string: Progmanlock

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsNative API1Winlogon Helper DLLProcess Injection12Virtualization/Sandbox Evasion1Credential DumpingVirtualization/Sandbox Evasion1Application Deployment SoftwareData from Local SystemData CompressedNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection12Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumApplication Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information1Input CaptureSystem Information Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.