Loading ...

Play interactive tourEdit tour

Analysis Report New Supplier inquiry 07030810HAMZ_ doc.exe

Overview

General Information

Sample Name:New Supplier inquiry 07030810HAMZ_ doc.exe
Analysis ID:255374
MD5:e224b89fc85c46253d7b733764fe415c
SHA1:3a10ce9c17ce932e1866b71766e637973d56adc6
SHA256:1dfc1867ced521cbf61f7bbe647e8a6e5bdd3a05e22c05dcee20660e236d5812

Most interesting Screenshot:

Detection

GuLoader
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides threads from debuggers
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: New Supplier inquiry 07030810HAMZ_ doc.exe PID: 7036JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: New Supplier inquiry 07030810HAMZ_ doc.exe PID: 4844JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02159878 NtProtectVirtualMemory,0_2_02159878
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02157B0D NtWriteVirtualMemory,LoadLibraryA,0_2_02157B0D
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02159D21 NtResumeThread,0_2_02159D21
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02151811 NtWriteVirtualMemory,0_2_02151811
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02153E01 NtWriteVirtualMemory,0_2_02153E01
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02150000 NtSetInformationThread,TerminateProcess,0_2_02150000
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_0215A24F NtResumeThread,0_2_0215A24F
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02159E71 NtResumeThread,0_2_02159E71
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02159C82 NtProtectVirtualMemory,0_2_02159C82
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_0215A103 NtResumeThread,0_2_0215A103
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02153D3B NtWriteVirtualMemory,0_2_02153D3B
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02159D2F NtResumeThread,0_2_02159D2F
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02150729 NtSetInformationThread,TerminateProcess,0_2_02150729
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_0215A561 NtResumeThread,0_2_0215A561
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02154D9F NtSetInformationThread,TerminateProcess,0_2_02154D9F
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02159FB3 NtResumeThread,0_2_02159FB3
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_021539BD NtWriteVirtualMemory,0_2_021539BD
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_0215A3AB NtResumeThread,0_2_0215A3AB
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02153BC1 NtWriteVirtualMemory,0_2_02153BC1
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_021537F7 NtWriteVirtualMemory,0_2_021537F7
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_00402EC40_2_00402EC4
      Source: New Supplier inquiry 07030810HAMZ_ doc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.260836721.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStorlinjedes4.exe vs New Supplier inquiry 07030810HAMZ_ doc.exe
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.265163657.00000000028F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStorlinjedes4.exeFE2Xhelikopterec vs New Supplier inquiry 07030810HAMZ_ doc.exe
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.262080923.0000000002090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs New Supplier inquiry 07030810HAMZ_ doc.exe
      Source: New Supplier inquiry 07030810HAMZ_ doc.exeBinary or memory string: OriginalFilename vs New Supplier inquiry 07030810HAMZ_ doc.exe
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000004.00000000.259908545.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStorlinjedes4.exe vs New Supplier inquiry 07030810HAMZ_ doc.exe
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000004.00000001.260649042.0000000000400000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSHTML.TLBD vs New Supplier inquiry 07030810HAMZ_ doc.exe
      Source: New Supplier inquiry 07030810HAMZ_ doc.exeBinary or memory string: OriginalFilenameStorlinjedes4.exe vs New Supplier inquiry 07030810HAMZ_ doc.exe
      Source: classification engineClassification label: mal64.troj.evad.winEXE@3/0@0/0
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeFile created: C:\Users\user\AppData\Local\Temp\~DF72100FDC30DE918E.TMPJump to behavior
      Source: New Supplier inquiry 07030810HAMZ_ doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exe 'C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exe 'C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exe'
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeProcess created: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exe 'C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exe' Jump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: New Supplier inquiry 07030810HAMZ_ doc.exe PID: 7036, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: New Supplier inquiry 07030810HAMZ_ doc.exe PID: 4844, type: MEMORY
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_0040406A push ebp; iretd 0_2_0040406B
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_00409202 push ebx; ret 0_2_0040921D
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_00405020 push ebx; iretd 0_2_00405337
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_00406A26 push ecx; iretd 0_2_00406A33
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_004066D5 push ecx; iretd 0_2_0040689B
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_004068A6 push ebp; ret 0_2_004068A7
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_004068AA push ecx; iretd 0_2_0040689B
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_0040CCAC push edi; ret 0_2_0040CCB9
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_0040674F push ecx; iretd 0_2_0040689B
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_0040C76B push ebp; retf 0_2_0040C791
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_00404FC7 push ebx; iretd 0_2_00405337
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_004083D8 push ebx; iretd 0_2_004083DB

      Boot Survival:

      barindex
      Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Cucumaria C:\Users\user\AppData\Local\Temp\BEMANDENDE\Inactivations1.vbsJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Cucumaria C:\Users\user\AppData\Local\Temp\BEMANDENDE\Inactivations1.vbsJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CucumariaJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CucumariaJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CucumariaJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CucumariaJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeRDTSC instruction interceptor: First address: 00000000021586AE second address: 00000000021586AE instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F05D8D9330Fh 0x0000001f popad 0x00000020 call 00007F05D8D92E4Ah 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeRDTSC instruction interceptor: First address: 00000000006B86AE second address: 00000000006B86AE instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F05D8D90F0Fh 0x0000001f popad 0x00000020 call 00007F05D8D90A4Ah 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_021586AB rdtsc 0_2_021586AB
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.266661038.00000000038CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.266661038.00000000038CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.266661038.00000000038CA000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.266661038.00000000038CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.266661038.00000000038CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.266661038.00000000038CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.266661038.00000000038CA000.00000004.00000001.sdmpBinary or memory string: vmicvss
      Source: New Supplier inquiry 07030810HAMZ_ doc.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.266661038.00000000038CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.266661038.00000000038CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.266661038.00000000038CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: New Supplier inquiry 07030810HAMZ_ doc.exe, 00000000.00000002.266661038.00000000038CA000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02150000 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,?,00000000,000000000_2_02150000
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_021586AB rdtsc 0_2_021586AB
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02154BCF LdrInitializeThunk,0_2_02154BCF
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02152448 mov eax, dword ptr fs:[00000030h]0_2_02152448
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02153094 mov eax, dword ptr fs:[00000030h]0_2_02153094
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02158E8F mov eax, dword ptr fs:[00000030h]0_2_02158E8F
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02158CB8 mov eax, dword ptr fs:[00000030h]0_2_02158CB8
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02158EA9 mov eax, dword ptr fs:[00000030h]0_2_02158EA9
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02157AFA mov eax, dword ptr fs:[00000030h]0_2_02157AFA
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02154327 mov eax, dword ptr fs:[00000030h]0_2_02154327
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02158B80 mov eax, dword ptr fs:[00000030h]0_2_02158B80
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_021581DE mov eax, dword ptr fs:[00000030h]0_2_021581DE
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 0_2_02158FEF mov eax, dword ptr fs:[00000030h]0_2_02158FEF
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 4_2_006B2448 mov eax, dword ptr fs:[00000030h]4_2_006B2448
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 4_2_006B7AFA mov eax, dword ptr fs:[00000030h]4_2_006B7AFA
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 4_2_006B8EA9 mov eax, dword ptr fs:[00000030h]4_2_006B8EA9
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 4_2_006B8CB8 mov eax, dword ptr fs:[00000030h]4_2_006B8CB8
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 4_2_006B8E8F mov eax, dword ptr fs:[00000030h]4_2_006B8E8F
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 4_2_006B3094 mov eax, dword ptr fs:[00000030h]4_2_006B3094
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 4_2_006B4327 mov eax, dword ptr fs:[00000030h]4_2_006B4327
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 4_2_006B8FEF mov eax, dword ptr fs:[00000030h]4_2_006B8FEF
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 4_2_006B81DE mov eax, dword ptr fs:[00000030h]4_2_006B81DE
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeCode function: 4_2_006B8B80 mov eax, dword ptr fs:[00000030h]4_2_006B8B80
      Source: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exeProcess created: C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exe 'C:\Users\user\Desktop\New Supplier inquiry 07030810HAMZ_ doc.exe' Jump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationRegistry Run Keys / Startup Folder11Process Injection11Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery321Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Process Injection11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSystem Information Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.