Analysis Report DOC04121993.exe

Overview

General Information

Sample Name: DOC04121993.exe
Analysis ID: 321396
MD5: 710843b45a8e65c939d3ab4fb96d73e4
SHA1: 909799ac70c5a8a472b40579ff0c5bc982979676
SHA256: d0ea8610ecee6c92c50af51c37a0a49f8550768609a08a5a2dcaf98bb06dcff3
Tags: AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: DOC04121993.exe.1000.2.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "bq6qu", "URL: ": "http://vd2JBRKVM6n.net", "To: ": "info@hybridgroupco.com", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "IhNKJa9", "From: ": "info@hybridgroupco.com"}
Multi AV Scanner detection for domain / URL
Source: mail.hybridgroupco.com Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: DOC04121993.exe Virustotal: Detection: 69% Perma Link
Source: DOC04121993.exe ReversingLabs: Detection: 81%
Machine Learning detection for sample
Source: DOC04121993.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.DOC04121993.exe.2240000.3.unpack Avira: Label: TR/Spy.Gen8
Source: 7.2.DOC04121993.exe.2290000.3.unpack Avira: Label: TR/Spy.Gen8
Source: 5.2.DOC04121993.exe.2750000.3.unpack Avira: Label: TR/Spy.Gen8
Source: 0.2.DOC04121993.exe.22e0000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.DOC04121993.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00408978
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00408A78 FindFirstFileA,GetLastError, 0_2_00408A78
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405B54
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 3_2_00408978
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00408A78 FindFirstFileA,GetLastError, 3_2_00408A78
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_00405B54
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 5_2_00408978
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00408A78 FindFirstFileA,GetLastError, 5_2_00408A78
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 5_2_00405B54
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 8_2_00408978
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00408A78 FindFirstFileA,GetLastError, 8_2_00408A78
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 8_2_00405B54
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49731 -> 66.70.204.222:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 66.70.204.222 66.70.204.222
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49731 -> 66.70.204.222:587
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_0233A186 recv, 2_2_0233A186
Source: unknown DNS traffic detected: queries for: mail.hybridgroupco.com
Source: DOC04121993.exe, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmp String found in binary or memory: http://127.0.0.1:
Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmp String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmp String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: DOC04121993.exe, 00000002.00000002.468167788.0000000002C9E000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: DOC04121993.exe, 00000002.00000002.467888799.0000000002B70000.00000004.00000001.sdmp String found in binary or memory: http://vd2JBRKVM6n.net
Source: DOC04121993.exe, 00000002.00000002.467655668.0000000002A92000.00000004.00000001.sdmp String found in binary or memory: http://vd2JBRKVM6n.net$
Source: DOC04121993.exe, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: DOC04121993.exe String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/
Source: DOC04121993.exe String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: DOC04121993.exe, 00000000.00000002.199767698.0000000002705000.00000040.00000001.sdmp, DOC04121993.exe, 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmp, DOC04121993.exe, 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmp, DOC04121993.exe, 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_004070F2 OpenClipboard, 0_2_004070F2
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00422CC4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 0_2_00422CC4
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00423308 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 3_2_00423308
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0045E108 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA, 0_2_0045E108
Creates a DirectInput object (often for capturing keystrokes)
Source: DOC04121993.exe, 00000000.00000002.198945887.000000000084A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0045AACC NtdllDefWindowProc_A, 0_2_0045AACC
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_0045B248
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_0045B2F8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0044F67C GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_0044F67C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00433DC8 NtdllDefWindowProc_A, 0_2_00433DC8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0043FF18 NtdllDefWindowProc_A,GetCapture, 0_2_0043FF18
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_0046E159 NtCreateSection, 2_2_0046E159
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_0233B362 NtQuerySystemInformation, 2_2_0233B362
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_0233B331 NtQuerySystemInformation, 2_2_0233B331
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_0045AACC NtdllDefWindowProc_A, 3_2_0045AACC
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 3_2_0045B248
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 3_2_0045B2F8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_0044F67C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 3_2_0044F67C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00433DC8 NtdllDefWindowProc_A, 3_2_00433DC8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_0043FF18 NtdllDefWindowProc_A,GetCapture, 3_2_0043FF18
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_0045AACC NtdllDefWindowProc_A, 5_2_0045AACC
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 5_2_0045B248
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 5_2_0045B2F8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_0044F67C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 5_2_0044F67C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00433DC8 NtdllDefWindowProc_A, 5_2_00433DC8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_0043FF18 NtdllDefWindowProc_A,GetCapture, 5_2_0043FF18
Detected potential crypto function
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_004551A0 0_2_004551A0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0044F67C 0_2_0044F67C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_00467976 2_2_00467976
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_0046D13D 2_2_0046D13D
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3B6E8 2_2_04E3B6E8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E33468 2_2_04E33468
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3702E 2_2_04E3702E
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E20007 2_2_04E20007
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E39010 2_2_04E39010
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E331F8 2_2_04E331F8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3DBB8 2_2_04E3DBB8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E39388 2_2_04E39388
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E37990 2_2_04E37990
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E31568 2_2_04E31568
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E31D20 2_2_04E31D20
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3CB3F 2_2_04E3CB3F
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3810F 2_2_04E3810F
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3C8EB 2_2_04E3C8EB
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E39CFE 2_2_04E39CFE
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3C8AF 2_2_04E3C8AF
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E384B1 2_2_04E384B1
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E328B8 2_2_04E328B8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E348BE 2_2_04E348BE
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3C889 2_2_04E3C889
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E32099 2_2_04E32099
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E37A98 2_2_04E37A98
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3566C 2_2_04E3566C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E36A72 2_2_04E36A72
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3C877 2_2_04E3C877
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E37E78 2_2_04E37E78
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E36C35 2_2_04E36C35
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E39000 2_2_04E39000
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E33468 2_2_04E33468
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E355D3 2_2_04E355D3
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3A3A2 2_2_04E3A3A2
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3DBA9 2_2_04E3DBA9
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E357AD 2_2_04E357AD
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E38998 2_2_04E38998
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E39378 2_2_04E39378
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3155A 2_2_04E3155A
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E32136 2_2_04E32136
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E3553A 2_2_04E3553A
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E39D03 2_2_04E39D03
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E39D08 2_2_04E39D08
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E31D10 2_2_04E31D10
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE07F0 2_2_05AE07F0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE59C8 2_2_05AE59C8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE0D10 2_2_05AE0D10
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE7710 2_2_05AE7710
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE5370 2_2_05AE5370
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE3740 2_2_05AE3740
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE1CC0 2_2_05AE1CC0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE7E08 2_2_05AE7E08
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE8648 2_2_05AE8648
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE0DBB 2_2_05AE0DBB
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE7DF8 2_2_05AE7DF8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE63CC 2_2_05AE63CC
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE0DCD 2_2_05AE0DCD
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE07D3 2_2_05AE07D3
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE3731 2_2_05AE3731
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE7703 2_2_05AE7703
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE1115 2_2_05AE1115
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE1EA3 2_2_05AE1EA3
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE72BC 2_2_05AE72BC
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE1CB0 2_2_05AE1CB0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE7E87 2_2_05AE7E87
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE0E93 2_2_05AE0E93
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE0CF9 2_2_05AE0CF9
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE08D6 2_2_05AE08D6
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE0A2A 2_2_05AE0A2A
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE2414 2_2_05AE2414
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05AE0E6A 2_2_05AE0E6A
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05B5A148 2_2_05B5A148
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05B5AED0 2_2_05B5AED0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05B5EAD0 2_2_05B5EAD0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05B5BE50 2_2_05B5BE50
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_05B5B250 2_2_05B5B250
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_004551A0 3_2_004551A0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_0044F67C 3_2_0044F67C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_004551A0 5_2_004551A0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_0044F67C 5_2_0044F67C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 7_2_00467976 7_2_00467976
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 7_2_0046D13D 7_2_0046D13D
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_004551A0 8_2_004551A0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_0044F67C 8_2_0044F67C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 00467F3C appears 33 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 004264A4 appears 36 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 00413454 appears 32 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 004145C0 appears 40 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 00403648 appears 113 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 0040274C appears 38 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 00404AA4 appears 40 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 0041E128 appears 32 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 0041E918 appears 36 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 00403A14 appears 131 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 0040674C appears 64 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 00403E90 appears 53 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 004043D8 appears 69 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 0040699C appears 52 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 004060E8 appears 40 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 0040C464 appears 72 times
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: String function: 004043B4 appears 309 times
PE file contains strange resources
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: DOC04121993.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: DOC04121993.exe, 00000000.00000002.199905445.0000000002766000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
Source: DOC04121993.exe, 00000000.00000002.198869393.00000000006B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs DOC04121993.exe
Source: DOC04121993.exe Binary or memory string: OriginalFilename vs DOC04121993.exe
Source: DOC04121993.exe, 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
Source: DOC04121993.exe, 00000002.00000002.468977606.00000000059E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs DOC04121993.exe
Source: DOC04121993.exe, 00000002.00000002.468721906.0000000005350000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs DOC04121993.exe
Source: DOC04121993.exe, 00000003.00000002.224468567.0000000002160000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs DOC04121993.exe
Source: DOC04121993.exe, 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
Source: DOC04121993.exe, 00000005.00000002.226401330.0000000002170000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs DOC04121993.exe
Source: DOC04121993.exe Binary or memory string: OriginalFilename vs DOC04121993.exe
Source: DOC04121993.exe, 00000007.00000001.223556134.00000000004D6000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameyZFlSsyWYLpOIrYUuUqNGPSmFjhfv.exe4 vs DOC04121993.exe
Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.DOC04121993.exe.2690000.3.unpack, DPAPI.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.DOC04121993.exe.2690000.3.unpack, DPAPI.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@16/2@1/1
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00420390 GetLastError,FormatMessageA, 0_2_00420390
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_0233B1E6 AdjustTokenPrivileges, 2_2_0233B1E6
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_0233B1AF AdjustTokenPrivileges, 2_2_0233B1AF
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00408D0A GetDiskFreeSpaceA, 0_2_00408D0A
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00416B24 FindResourceA,LoadResource,SizeofResource,LockResource, 0_2_00416B24
Source: C:\Windows\SysWOW64\notepad.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs'
Source: C:\Users\user\Desktop\DOC04121993.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DOC04121993.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: DOC04121993.exe Virustotal: Detection: 69%
Source: DOC04121993.exe ReversingLabs: Detection: 81%
Source: unknown Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
Source: unknown Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
Source: unknown Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
Source: unknown Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1000 3714343
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs'
Source: unknown Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
Source: unknown Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
Source: unknown Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe'
Source: unknown Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1956 3726421
Source: C:\Users\user\Desktop\DOC04121993.exe Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1000 3714343 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' 2 1956 3726421 Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\DOC04121993.exe Unpacked PE file: 2.2.DOC04121993.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\DOC04121993.exe Unpacked PE file: 2.2.DOC04121993.exe.2240000.3.unpack
Source: C:\Users\user\Desktop\DOC04121993.exe Unpacked PE file: 7.2.DOC04121993.exe.2290000.3.unpack
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\DOC04121993.exe Unpacked PE file: 2.2.DOC04121993.exe.400000.0.unpack
.NET source code contains potential unpacker
Source: 0.2.DOC04121993.exe.2690000.3.unpack, gtu.cs .Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.DOC04121993.exe.2240000.3.unpack, gtu.cs .Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.DOC04121993.exe.400000.0.unpack, gtu.cs .Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.DOC04121993.exe.9e0000.2.unpack, gtu.cs .Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.DOC04121993.exe.21b0000.2.unpack, gtu.cs .Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.DOC04121993.exe.2290000.3.unpack, gtu.cs .Net Code: ncv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00446CD4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00447320 push 004473ADh; ret 0_2_004473A5
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00426024 push 00426050h; ret 0_2_00426048
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00428038 push 00428064h; ret 0_2_0042805C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00466080 push 004660ACh; ret 0_2_004660A4
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0040C090 push 0040C20Ch; ret 0_2_0040C204
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0046C150 push 0046C1C6h; ret 0_2_0046C1BE
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00450134 push 0045019Fh; ret 0_2_00450197
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0040C20E push 0040C27Fh; ret 0_2_0040C277
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0040C210 push 0040C27Fh; ret 0_2_0040C277
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_004482CC push ecx; mov dword ptr [esp], edx 0_2_004482D0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_004262DC push 00426308h; ret 0_2_00426300
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0040C2EE push 0040C31Ch; ret 0_2_0040C314
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0040C2F0 push 0040C31Ch; ret 0_2_0040C314
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0041A288 push ecx; mov dword ptr [esp], edx 0_2_0041A28A
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00410324 push 00410385h; ret 0_2_0041037D
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00410388 push 00410589h; ret 0_2_00410581
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0042646C push 00426498h; ret 0_2_00426490
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0044856C push ecx; mov dword ptr [esp], edx 0_2_00448570
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00470574 push 004705A0h; ret 0_2_00470598
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0041058C push 004106D0h; ret 0_2_004106C8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0040660A push 0040665Dh; ret 0_2_00406655
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0040660C push 0040665Dh; ret 0_2_00406655
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_004106A4 push 004106D0h; ret 0_2_004106C8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0043277C push 004327A8h; ret 0_2_004327A0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_004067DC push 00406808h; ret 0_2_00406800
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_004327EC push 00432818h; ret 0_2_00432810
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_004327B4 push 004327E0h; ret 0_2_004327D8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0044884C push 00448878h; ret 0_2_00448870
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00406854 push 00406880h; ret 0_2_00406878
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0043285C push 00432888h; ret 0_2_00432880
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00432824 push 00432850h; ret 0_2_00432848

Boot Survival:

barindex
Drops VBS files to the startup folder
Source: C:\Windows\SysWOW64\notepad.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs
Source: C:\Windows\SysWOW64\notepad.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\notepad.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\notepad.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_0045AB54
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_004266A4
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_00442778
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_0045B248
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_0045B2F8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_004415EC IsIconic,GetCapture, 0_2_004415EC
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_00457C48
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_00441E94
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 3_2_0045AB54
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_004266A4
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 3_2_00442778
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 3_2_0045B248
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 3_2_0045B2F8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_004415EC IsIconic,GetCapture, 3_2_004415EC
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 3_2_00457C48
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 3_2_00441E94
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 5_2_0045AB54
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect, 5_2_004266A4
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 5_2_00442778
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 5_2_0045B248
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 5_2_0045B2F8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_004415EC IsIconic,GetCapture, 5_2_004415EC
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 5_2_00457C48
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 5_2_00441E94
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_004266A4 IsIconic,GetWindowPlacement,GetWindowRect, 8_2_004266A4
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00442778 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 8_2_00442778
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_0045AB54 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 8_2_0045AB54
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_0045B248 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA, 8_2_0045B248
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_0045B2F8 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus, 8_2_0045B2F8
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_004415EC IsIconic,GetCapture, 8_2_004415EC
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00457C48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 8_2_00457C48
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00441E94 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 8_2_00441E94
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00446CD4
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\DOC04121993.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00436808 0_2_00436808
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00436808 3_2_00436808
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00436808 5_2_00436808
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00436808 8_2_00436808
Delayed program exit found
Source: C:\Windows\SysWOW64\notepad.exe Code function: 1_2_00A305C0 Sleep,ExitProcess, 1_2_00A305C0
Source: C:\Windows\SysWOW64\notepad.exe Code function: 6_2_003F05C0 Sleep,ExitProcess, 6_2_003F05C0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DOC04121993.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DOC04121993.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_0045A128
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 3_2_0045A128
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 5_2_0045A128
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 8_2_0045A128
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\DOC04121993.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00436808 8_2_00436808
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -119564s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -59594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -59188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -117376s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -117000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -58282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -115188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -57406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -57188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -113000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -56282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -55688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -82782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -55000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -54094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -53000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -52782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -103376s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -103000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -75891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -74250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -73923s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -48188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -48000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -47094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -46500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -92000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -66750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -43594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -63750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -63423s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -61782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -61500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -60141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -78000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -58173s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -37688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -36594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -53250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -35282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -51282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -51000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -33594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -49641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -32500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -32282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -48000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -47673s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -31188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -30782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -45750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -30094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -42750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -40032s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -39750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -39423s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -36750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -81423s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -53876s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -80391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -80064s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -52094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -51876s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -76782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -51000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -50094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -49876s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -49000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -48594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -47500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -47282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -46376s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -69282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -45500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -67923s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -67641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -67314s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -66282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -66000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -43782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -64641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -64314s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -42688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -63000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -62673s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -62064s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -40688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -60423s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -39594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -39376s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -58782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -38500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -38282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -57141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -56814s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -55782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -55500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -55173s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -54141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -53814s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -53532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -52500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -52173s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -51891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -47250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -59500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -58876s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -57782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -57376s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -56688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -55782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -55594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -55376s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -54688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -54500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -53188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -52500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -52282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -43376s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -39876s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -33688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -33500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -32876s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -32594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -30876s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -30688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 1064 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe TID: 5696 Thread sleep count: 79 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\DOC04121993.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DOC04121993.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\DOC04121993.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h 0_2_00470848
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h 3_2_00470848
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h 5_2_00470848
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00470848 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 00470863h 8_2_00470848
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00408978
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00408A78 FindFirstFileA,GetLastError, 0_2_00408A78
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405B54
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 3_2_00408978
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00408A78 FindFirstFileA,GetLastError, 3_2_00408A78
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 3_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_00405B54
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 5_2_00408978
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00408A78 FindFirstFileA,GetLastError, 5_2_00408A78
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 5_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 5_2_00405B54
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00408978 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 8_2_00408978
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00408A78 FindFirstFileA,GetLastError, 8_2_00408A78
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 8_2_00405B54 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 8_2_00405B54
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00420920 GetSystemInfo, 0_2_00420920
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: DOC04121993.exe, 00000002.00000002.468721906.0000000005350000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: DOC04121993.exe, 00000002.00000002.468721906.0000000005350000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: DOC04121993.exe, 00000002.00000002.468721906.0000000005350000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000004.00000002.221090997.0000024201259000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: DOC04121993.exe, 00000002.00000002.469094063.0000000005B60000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: DOC04121993.exe, 00000002.00000002.468721906.0000000005350000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\DOC04121993.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\DOC04121993.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process queried: DebugObjectHandle Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_04E33468 LdrInitializeThunk, 2_2_04E33468
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_004696F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_004696F3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00446CD4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_00446CD4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_0046D412 mov eax, dword ptr fs:[00000030h] 2_2_0046D412
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_0046D4D0 mov eax, dword ptr fs:[00000030h] 2_2_0046D4D0
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 7_2_0046D412 mov eax, dword ptr fs:[00000030h] 7_2_0046D412
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 7_2_0046D4D0 mov eax, dword ptr fs:[00000030h] 7_2_0046D4D0
Enables debug privileges
Source: C:\Users\user\Desktop\DOC04121993.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_004696F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_004696F3
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_00468746 SetUnhandledExceptionFilter, 2_2_00468746
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_0046BD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0046BD7F
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_00469BB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00469BB5
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 7_2_0046BD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0046BD7F
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 7_2_004696F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_004696F3
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 7_2_00469BB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00469BB5
Source: C:\Users\user\Desktop\DOC04121993.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\DOC04121993.exe Memory allocated: C:\Windows\SysWOW64\notepad.exe base: A30000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Memory allocated: C:\Windows\SysWOW64\notepad.exe base: A40000 protect: page read and write Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 3F0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 600000 protect: page read and write Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\DOC04121993.exe Section loaded: unknown target: C:\Users\user\Desktop\DOC04121993.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Section loaded: unknown target: C:\Users\user\Desktop\DOC04121993.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\DOC04121993.exe Thread APC queued: target process: C:\Windows\SysWOW64\notepad.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\DOC04121993.exe Memory written: C:\Windows\SysWOW64\notepad.exe base: A30000 Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Memory written: C:\Windows\SysWOW64\notepad.exe base: A40000 Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Memory written: C:\Windows\SysWOW64\notepad.exe base: 3F0000 Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Memory written: C:\Windows\SysWOW64\notepad.exe base: 600000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DOC04121993.exe Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Process created: C:\Users\user\Desktop\DOC04121993.exe 'C:\Users\user\Desktop\DOC04121993.exe' Jump to behavior
Source: DOC04121993.exe, 00000002.00000002.464199660.0000000000E30000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: DOC04121993.exe, 00000002.00000002.464199660.0000000000E30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: DOC04121993.exe, 00000002.00000002.464199660.0000000000E30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: DOC04121993.exe, 00000002.00000002.464199660.0000000000E30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405D0C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA,GetACP, 0_2_0040AEC4
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA, 0_2_00409B48
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA, 0_2_00409B94
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405E18
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA, 2_2_0046CA4A
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_00405D0C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA,GetACP, 3_2_0040AEC4
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA, 3_2_00409B48
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA, 3_2_00409B94
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_00405E18
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 5_2_00405D0C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA,GetACP, 5_2_0040AEC4
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA, 5_2_00409B48
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA, 5_2_00409B94
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 5_2_00405E18
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA, 7_2_0046CA4A
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA,GetACP, 8_2_0040AEC4
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA, 8_2_00409B48
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetLocaleInfoA, 8_2_00409B94
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 8_2_00405D0C
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 8_2_00405E18
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DOC04121993.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00470848 GetSystemTime,ExitProcess,73BBB110, 0_2_00470848
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 2_2_0233A502 GetUserNameW, 2_2_0233A502
Source: C:\Users\user\Desktop\DOC04121993.exe Code function: 0_2_00447320 GetVersion, 0_2_00447320
Source: C:\Users\user\Desktop\DOC04121993.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: DOC04121993.exe, 00000000.00000002.198459774.000000000019D000.00000004.00000010.sdmp Binary or memory string: avp.exe

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.464088936.00000000009E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.199767698.0000000002705000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.464255746.0000000002242000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.224265072.0000000002150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.467655668.0000000002A92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.199649349.0000000002692000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.464010082.0000000000980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.224575545.0000000002292000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000001.223334796.0000000000499000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.224389648.00000000021B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.462860776.0000000000475000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.467418503.00000000029D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.467888799.0000000002B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DOC04121993.exe PID: 1000, type: MEMORY
Source: Yara match File source: Process Memory Space: DOC04121993.exe PID: 2576, type: MEMORY
Source: Yara match File source: Process Memory Space: DOC04121993.exe PID: 5080, type: MEMORY
Source: Yara match File source: Process Memory Space: DOC04121993.exe PID: 1956, type: MEMORY
Source: Yara match File source: 7.2.DOC04121993.exe.2290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DOC04121993.exe.2240000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DOC04121993.exe.2150000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DOC04121993.exe.980000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DOC04121993.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.DOC04121993.exe.2750000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DOC04121993.exe.2150000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DOC04121993.exe.980000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DOC04121993.exe.2690000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DOC04121993.exe.9e0000.2.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\DOC04121993.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\DOC04121993.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\DOC04121993.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\DOC04121993.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\DOC04121993.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: DOC04121993.exe PID: 1000, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.229601884.00000000027C5000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.462629290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.464088936.00000000009E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.199767698.0000000002705000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.464255746.0000000002242000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.223712280.0000000000475000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.224265072.0000000002150000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.467655668.0000000002A92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.199649349.0000000002692000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.464010082.0000000000980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.224575545.0000000002292000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000001.223334796.0000000000499000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.224389648.00000000021B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.462860776.0000000000475000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.467418503.00000000029D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.467888799.0000000002B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DOC04121993.exe PID: 1000, type: MEMORY
Source: Yara match File source: Process Memory Space: DOC04121993.exe PID: 2576, type: MEMORY
Source: Yara match File source: Process Memory Space: DOC04121993.exe PID: 5080, type: MEMORY
Source: Yara match File source: Process Memory Space: DOC04121993.exe PID: 1956, type: MEMORY
Source: Yara match File source: 7.2.DOC04121993.exe.2290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DOC04121993.exe.2240000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DOC04121993.exe.2150000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DOC04121993.exe.980000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DOC04121993.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.1.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.DOC04121993.exe.2750000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DOC04121993.exe.2150000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DOC04121993.exe.980000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DOC04121993.exe.2690000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DOC04121993.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.DOC04121993.exe.9e0000.2.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321396 Sample: DOC04121993.exe Startdate: 21/11/2020 Architecture: WINDOWS Score: 100 35 Multi AV Scanner detection for domain / URL 2->35 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 4 other signatures 2->41 7 DOC04121993.exe 2->7         started        10 wscript.exe 1 2->10         started        process3 signatures4 43 Detected unpacking (changes PE section rights) 7->43 45 Detected unpacking (creates a PE file in dynamic memory) 7->45 47 Detected unpacking (overwrites its own PE header) 7->47 49 7 other signatures 7->49 12 DOC04121993.exe 4 7->12         started        16 notepad.exe 1 7->16         started        18 DOC04121993.exe 7->18         started        20 DOC04121993.exe 10->20         started        process5 dnsIp6 31 hybridgroupco.com 66.70.204.222, 49731, 587 OVHFR Canada 12->31 33 mail.hybridgroupco.com 12->33 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->51 53 Tries to steal Mail credentials (via file access) 12->53 55 Tries to harvest and steal ftp login credentials 12->55 57 Tries to harvest and steal browser information (history, passwords, etc) 12->57 59 Drops VBS files to the startup folder 16->59 61 Delayed program exit found 16->61 63 Writes to foreign memory regions 20->63 65 Allocates memory in foreign processes 20->65 67 Maps a DLL or memory area into another process 20->67 22 notepad.exe 1 20->22         started        25 DOC04121993.exe 20->25         started        27 DOC04121993.exe 20->27         started        signatures7 process8 file9 29 C:\Users\user\AppData\Roaming\...\STARTUP.vbs, ASCII 22->29 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
66.70.204.222
 unknown Canada
16276 OVHFR true

Contacted Domains

Name IP Active
hybridgroupco.com 66.70.204.222 true
mail.hybridgroupco.com unknown unknown