Loading ...

Play interactive tourEdit tour

Analysis Report PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe

Overview

General Information

Sample Name:PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
Analysis ID:286346
MD5:52da5d6ab23109e68174667433a7f36a
SHA1:7dc28eaeaa2d25a02678d1c2c05590863c4dd1df
SHA256:ab1ee0b548744b3e7892af6517a41f37b462856e0b744bd9ad58af079771db33
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe (PID: 4876 cmdline: 'C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe' MD5: 52DA5D6AB23109E68174667433A7F36A)
    • schtasks.exe (PID: 5708 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FqAAmXG' /XML 'C:\Users\user\AppData\Local\Temp\tmp209E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.193638469.0000000002ECF000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000002.193558813.0000000002E71000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000001.00000002.194145639.0000000003E79000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.445309650.0000000002926000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000002.441584657.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FqAAmXG' /XML 'C:\Users\user\AppData\Local\Temp\tmp209E.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FqAAmXG' /XML 'C:\Users\user\AppData\Local\Temp\tmp209E.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe' , ParentImage: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, ParentProcessId: 4876, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FqAAmXG' /XML 'C:\Users\user\AppData\Local\Temp\tmp209E.tmp', ProcessId: 5708

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\FqAAmXG.exeVirustotal: Detection: 20%Perma Link
              Source: C:\Users\user\AppData\Roaming\FqAAmXG.exeReversingLabs: Detection: 18%
              Multi AV Scanner detection for submitted fileShow sources
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeVirustotal: Detection: 20%Perma Link
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeReversingLabs: Detection: 18%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\FqAAmXG.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeJoe Sandbox ML: detected
              Source: 4.2.PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.193558813.0000000002E71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeJump to behavior
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.193012955.00000000010EB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 1_2_009220501_2_00922050
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 1_2_0135C2B01_2_0135C2B0
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 1_2_013599901_2_01359990
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_004520504_2_00452050
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_00C572784_2_00C57278
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_00C592384_2_00C59238
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_00C5A4284_2_00C5A428
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_00C566604_2_00C56660
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_00C5DFA84_2_00C5DFA8
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_00C569A84_2_00C569A8
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_00C5A4194_2_00C5A419
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_050305884_2_05030588
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0503CC004_2_0503CC00
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_050390824_2_05039082
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0503EB004_2_0503EB00
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05030B804_2_05030B80
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_050396F84_2_050396F8
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0503B0614_2_0503B061
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0503EC924_2_0503EC92
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0503F0E44_2_0503F0E4
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05035F584_2_05035F58
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05039A1E4_2_05039A1E
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0503AEE84_2_0503AEE8
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0503EAF04_2_0503EAF0
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0503EEF64_2_0503EEF6
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_050581B84_2_050581B8
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05050EA84_2_05050EA8
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05050B204_2_05050B20
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05054A284_2_05054A28
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_050597184_2_05059718
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05053D604_2_05053D60
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0505D9904_2_0505D990
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0505856B4_2_0505856B
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_050585E64_2_050585E6
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_050581A84_2_050581A8
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05054E504_2_05054E50
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05050E994_2_05050E99
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_050588C54_2_050588C5
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_050597084_2_05059708
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0505D1F34_2_0505D1F3
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05053C784_2_05053C78
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_0505D9804_2_0505D980
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: FqAAmXG.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.198593029.0000000006080000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.200068382.0000000006890000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000003.182695984.0000000001174000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.192691784.00000000009E3000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWab1.exe4 vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.193558813.0000000002E71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZxjCPHVzfuFYHrjPlBlBjdZvSGubRjZtGSo.exe4 vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.200699652.0000000006990000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.200699652.0000000006990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000004.00000002.442708851.0000000000513000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWab1.exe4 vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000004.00000002.444267525.0000000000C8A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000004.00000002.442980593.00000000008F7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000004.00000002.450529188.00000000060B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000004.00000002.448950883.0000000004E70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000004.00000002.441584657.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZxjCPHVzfuFYHrjPlBlBjdZvSGubRjZtGSo.exe4 vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeBinary or memory string: OriginalFilenameWab1.exe4 vs PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: FqAAmXG.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: FqAAmXG.exe.1.dr, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.0.PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe.920000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe.920000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.2.PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe.450000.1.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.0.PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe.450000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@0/0
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile created: C:\Users\user\AppData\Roaming\FqAAmXG.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_01
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile created: C:\Users\user\AppData\Local\Temp\tmp209E.tmpJump to behavior
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeVirustotal: Detection: 20%
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeReversingLabs: Detection: 18%
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile read: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe 'C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FqAAmXG' /XML 'C:\Users\user\AppData\Local\Temp\tmp209E.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FqAAmXG' /XML 'C:\Users\user\AppData\Local\Temp\tmp209E.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess created: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_00C5DA4E push es; ret 4_2_00C5DA51
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05040006 push ss; ret 4_2_05040026
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_05040038 push ds; ret 4_2_0504003A
              Source: initial sampleStatic PE information: section name: .text entropy: 7.42020160126
              Source: initial sampleStatic PE information: section name: .text entropy: 7.42020160126
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile created: \po#2081776 fa2003084 sap s4 hana myc20028.exeJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile created: \po#2081776 fa2003084 sap s4 hana myc20028.exeJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile created: C:\Users\user\AppData\Roaming\FqAAmXG.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FqAAmXG' /XML 'C:\Users\user\AppData\Local\Temp\tmp209E.tmp'
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000001.00000002.193638469.0000000002ECF000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.193558813.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe PID: 4876, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.193638469.0000000002ECF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.193638469.0000000002ECF000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeWindow / User API: threadDelayed 598Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 4640Thread sleep time: -57969s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 4640Thread sleep time: -45000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 4724Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6160Thread sleep count: 195 > 30Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6160Thread sleep count: 598 > 30Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -89721s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -88362s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -58688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -86721s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -85362s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -85032s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -84750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -84471s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -83721s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -83391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -83112s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -82782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -81750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -81471s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -54094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -80112s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -79782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -79500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -79221s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -78750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -78471s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -78141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -77112s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -76782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -50500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -75471s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -75141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -49408s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -48500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -48314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -47814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -46500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -46314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -45408s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -45188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -44314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -44094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -43000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -42814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -41908s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -40814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -40594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -37314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -35594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -35188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -32500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -32314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -31408s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -31188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -30314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -30094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -59500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -59314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -58408s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -57594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -57314s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -56000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -54908s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -54688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -53814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -53594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -51000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -50814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -49908s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -49000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe TID: 6368Thread sleep time: -48814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeLast function: Thread delayed
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.193638469.0000000002ECF000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.193638469.0000000002ECF000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.193638469.0000000002ECF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000001.00000002.193638469.0000000002ECF000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeMemory written: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FqAAmXG' /XML 'C:\Users\user\AppData\Local\Temp\tmp209E.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeProcess created: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeJump to behavior
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000004.00000002.444766395.00000000012E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000004.00000002.444766395.00000000012E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000004.00000002.444766395.00000000012E0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe, 00000004.00000002.444766395.00000000012E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeCode function: 4_2_00C54944 GetUserNameW,4_2_00C54944
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.194145639.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.445309650.0000000002926000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.441584657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe PID: 6316, type: MEMORY
              Source: Yara matchFile source: 4.2.PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\Desktop\PO#2081776 FA2003084 SAP S4 HANA MYC20028.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.194145639.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.445309650.0000000002926000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.441584657.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe PID: 6316, type: MEMORY
              Source: Yara matchFile source: 4.2.PO#2081776 FA2003084 SAP S4 HANA MYC20028.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Masquerading1OS Credential Dumping1Security Software Discovery321Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion14Input Capture111Virtualization/Sandbox Evasion14Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.