Analysis Report gVz4ueFL8n.bin

Overview

General Information

Sample Name: gVz4ueFL8n.bin (renamed file extension from bin to exe)
Analysis ID: 321427
MD5: 0e285f30f30dedd812295d2408f4b84c
SHA1: 24e8a7a0b9fdf929e6cc4b52b0470bf4f7b6f244
SHA256: d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95
Tags: Revilsodinokibi

Most interesting Screenshot:

Detection

Sodinokibi
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: gVz4ueFL8n.exe Avira: detected
Found malware configuration
Source: gVz4ueFL8n.exe.5916.0.memstr Malware Configuration Extractor: Sodinokibi {"prc": ["firefox", "oracle", "visio", "xfssvccon", "steam", "winword", "mspub", "isqlplussvc", "ocssd", "ocautoupds", "mydesktopqos", "outlook", "dbeng50", "sql", "agntsvc", "tbirdconfig", "encsvc", "thebat", "synctime", "onenote", "mydesktopservice", "thunderbird", "excel", "powerpnt", "dbsnmp", "sqbcoreservice", "ocomm", "infopath", "wordpad", "msaccess"], "sub": "5891", "svc": ["veeam", "vss", "backup", "sophos", "svc$", "mepocs", "memtas", "sql"], "wht": {"ext": ["msc", "mpa", "hta", "ani", "themepack", "com", "ps1", "icl", "dll", "ldf", "ocx", "lnk", "theme", "nls", "386", "cmd", "wpx", "diagcfg", "cur", "prf", "ico", "nomedia", "sys", "bat", "exe", "deskthemepack", "spl", "shs", "hlp", "rtp", "msp", "scr", "ics", "key", "msstyles", "mod", "cab", "diagcab", "adv", "rom", "drv", "bin", "msi", "idx", "cpl", "diagpkg", "msu", "icns", "lock"], "fls": ["boot.ini", "bootsect.bak", "bootfont.bin", "ntuser.ini", "iconcache.db", "ntuser.dat.log", "desktop.ini", "autorun.inf", "thumbs.db", "ntuser.dat", "ntldr"], "fld": ["system volume information", "program files (x86)", "mozilla", "application data", "windows.old", "msocache", "appdata", "$recycle.bin", "$windows.~ws", "program files", "windows", "programdata", "google", "tor browser", "perflogs", "boot", "intel", "$windows.~bt"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "notmissingout.com;employeesurveys.com;delchacay.com.ar;sw1m.ru;sofavietxinh.com;samnewbyjax.com;pawsuppetlovers.com;panelsandwichmadrid.es;frontierweldingllc.com;antenanavi.com;nokesvilledentistry.com;partnertaxi.sk;tomaso.gr;levihotelspa.fi;myhealth.net.au;midmohandyman.com;kirkepartner.dk;zewatchers.com;lapmangfpt.info.vn;purposeadvisorsolutions.com;fitnessbazaar.com;brigitte-erler.com;lescomtesdemean.be;supportsumba.nl;deltacleta.cat;mastertechengineering.com;dontpassthepepper.com;apprendrelaudit.com;whittier5k.com;ladelirante.fr;mariposapropaneaz.com;nsec.se;shsthepapercut.com;adoptioperheet.fi;labobit.it;retroearthstudio.com;ahouseforlease.com;greenfieldoptimaldentalcare.com;renergysolution.com;xtptrack.com;sandd.nl;euro-trend.pl;christ-michael.net;bigasgrup.com;plv.media;wacochamber.com;jyzdesign.com;facettenreich27.de;echtveilig.nl;mbxvii.com;igfap.com;noskierrenteria.com;strategicstatements.com;itelagen.com;burkert-ideenreich.de;cleliaekiko.online;baronloan.org;slwgs.org;wolf-glas-und-kunst.de;hardinggroup.com;mousepad-direkt.de;4youbeautysalon.com;suncrestcabinets.ca;zzyjtsgls.com;commercialboatbuilding.com;stemenstilte.nl;maasreusel.nl;bloggyboulga.net;vitavia.lt;skanah.com;autodujos.lt;leoben.at;filmstreamingvfcomplet.be;mediaplayertest.net;travelffeine.com;ungsvenskarna.se;securityfmm.com;rushhourappliances.com;ziegler-praezisionsteile.de;drinkseed.com;live-your-life.jp;deko4you.at;comarenterprises.com;despedidascosta
Multi AV Scanner detection for submitted file
Source: gVz4ueFL8n.exe Virustotal: Detection: 69% Perma Link
Source: gVz4ueFL8n.exe Metadefender: Detection: 48% Perma Link
Source: gVz4ueFL8n.exe ReversingLabs: Detection: 72%
Machine Learning detection for sample
Source: gVz4ueFL8n.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC549C CryptAcquireContextW,CryptGenRandom, 0_2_00DC549C
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC5D90 CryptBinaryToStringW,CryptBinaryToStringW, 0_2_00DC5D90
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC5D2F CryptStringToBinaryW,CryptStringToBinaryW, 0_2_00DC5D2F

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: d: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: c: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC766A FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00DC766A

Networking:

barindex
Found Tor onion address
Source: gVz4ueFL8n.exe, 00000000.00000003.421781625.00000000031DA000.00000004.00000040.sdmp String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/44BE4C1AA85AD2C1
Source: gVz4ueFL8n.exe, 00000000.00000003.377775643.00000000031EF000.00000004.00000040.sdmp String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
Source: 3pp6h54-readme.txt34.0.dr String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/44BE4C1AA85AD2C1
Source: gVz4ueFL8n.exe, 00000000.00000003.377775643.00000000031EF000.00000004.00000040.sdmp String found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
Source: gVz4ueFL8n.exe, 00000000.00000003.421781625.00000000031DA000.00000004.00000040.sdmp, 3pp6h54-readme.txt34.0.dr String found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/44BE4C1AA85AD2C1
Source: gVz4ueFL8n.exe, 00000000.00000003.377775643.00000000031EF000.00000004.00000040.sdmp String found in binary or memory: http://decryptor.cc/
Source: gVz4ueFL8n.exe, 00000000.00000003.421781625.00000000031DA000.00000004.00000040.sdmp, 3pp6h54-readme.txt34.0.dr String found in binary or memory: http://decryptor.cc/44BE4C1AA85AD2C1
Source: gVz4ueFL8n.exe, 00000000.00000003.421781625.00000000031DA000.00000004.00000040.sdmp, 3pp6h54-readme.txt34.0.dr String found in binary or memory: https://torproject.org/

Spam, unwanted Advertisements and Ransom Demands:

barindex
Found ransom note / readme
Source: C:\3pp6h54-readme.txt Dropped file: ---=== Welcome. Again. ===---[+] Whats Happen? [+]Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 3pp6h54.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.[+] How to get access on website? [+]You have two ways:1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/44BE4C1AA85AD2C12) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/44BE4C1AA85AD2C1Warning: secondary website can be blocked, thats why first variant much b Jump to dropped file
Yara detected Sodinokibi Ransomware
Source: Yara match File source: 00000000.00000003.202573050.00000000031CF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.202518189.00000000031CF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gVz4ueFL8n.exe PID: 5916, type: MEMORY
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File moved: C:\Users\user\Desktop\QNCYCDFIJJ.pdf Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File deleted: C:\Users\user\Desktop\QNCYCDFIJJ.pdf Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File moved: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File deleted: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File moved: C:\Users\user\Desktop\QCFWYSKMHA\EEGWXUHVUG.pdf Jump to behavior

System Summary:

barindex
Contains functionality to delete services
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC3B6E OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle, 0_2_00DC3B6E
Detected potential crypto function
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DCB7A2 0_2_00DCB7A2
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC8AF8 0_2_00DC8AF8
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC85D5 0_2_00DC85D5
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC8377 0_2_00DC8377
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DCAB0D 0_2_00DCAB0D
Sample file is different than original file name gathered from version info
Source: gVz4ueFL8n.exe, 00000000.00000002.421914322.0000000000D70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamempr.dll.muij% vs gVz4ueFL8n.exe
Yara signature match
Source: gVz4ueFL8n.exe, type: SAMPLE Matched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
Source: 00000000.00000002.421931885.0000000000DC1000.00000020.00020000.sdmp, type: MEMORY Matched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
Source: 00000000.00000000.202262320.0000000000DC1000.00000020.00020000.sdmp, type: MEMORY Matched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
Source: 0.2.gVz4ueFL8n.exe.dc0000.1.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
Source: 0.0.gVz4ueFL8n.exe.dc0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
Source: classification engine Classification label: mal96.rans.evad.winEXE@2/207@0/0
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC4CD4 GetDriveTypeW,GetDiskFreeSpaceExW, 0_2_00DC4CD4
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC5425 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW, 0_2_00DC5425
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\program files\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\C67C4A76-40FA-FD1C-B814-F8203DB0F283
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: C:\Users\user\AppData\Local\Temp\539.bmp Jump to behavior
Source: gVz4ueFL8n.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: gVz4ueFL8n.exe Virustotal: Detection: 69%
Source: gVz4ueFL8n.exe Metadefender: Detection: 48%
Source: gVz4ueFL8n.exe ReversingLabs: Detection: 72%
Source: unknown Process created: C:\Users\user\Desktop\gVz4ueFL8n.exe 'C:\Users\user\Desktop\gVz4ueFL8n.exe'
Source: unknown Process created: C:\Windows\System32\wbem\unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Directory created: c:\program files\3pp6h54-readme.txt Jump to behavior

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: gVz4ueFL8n.exe Static PE information: section name: .axh
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DD30F8 pushfd ; ret 0_2_00DD30FE
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: C:\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\program files\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\program files (x86)\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\recovery\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\program files (x86)\microsoft sql server\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\default\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\public\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\program files (x86)\microsoft sql server\110\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\default\desktop\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\default\documents\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\default\downloads\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\default\favorites\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\default\links\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\default\music\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\default\pictures\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\default\saved games\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\default\videos\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\3d objects\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\contacts\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\downloads\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\favorites\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\links\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\music\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\onedrive\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\pictures\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\recent\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\saved games\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\searches\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\videos\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\public\accountpictures\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\public\desktop\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\public\documents\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\public\downloads\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\public\libraries\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\public\music\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\public\pictures\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\public\videos\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\program files (x86)\microsoft sql server\110\shared\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\bnagmgsplo\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\czqksddmwr\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\eowrvpqccs\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\klizusiqen\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\lijdsfkjzg\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\palrgucveh\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\pivfageaav\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\pwccawlgre\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\qcfwyskmha\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\qcoiloqikc\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\qncycdfijj\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\desktop\zqixmvqgah\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\bnagmgsplo\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\czqksddmwr\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\eowrvpqccs\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\gaobcviqij\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\klizusiqen\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\lijdsfkjzg\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\palrgucveh\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\pwccawlgre\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\qcfwyskmha\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\qcoiloqikc\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\qncycdfijj\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\documents\sqsjkebwdt\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\favorites\links\3pp6h54-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File created: c:\users\user\pictures\camera roll\3pp6h54-readme.txt Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC595D 0_2_00DC595D
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC58B3 rdtsc 0_2_00DC58B3
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle, 0_2_00DC3B6E
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Window / User API: threadDelayed 9999 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe TID: 5920 Thread sleep count: 9999 > 30 Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC766A FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00DC766A
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC53F1 GetSystemInfo, 0_2_00DC53F1
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC58B3 rdtsc 0_2_00DC58B3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC5083 mov eax, dword ptr fs:[00000030h] 0_2_00DC5083
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC5408 mov ecx, dword ptr fs:[00000030h] 0_2_00DC5408
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC494C HeapCreate,GetProcessHeap, 0_2_00DC494C
Enables debug privileges
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: OpenProcess,QueryFullProcessImageNameW,PathFindFileNameW, svchost.exe 0_2_00DC4B05
Source: unsecapp.exe, 00000009.00000002.467619289.000001A3A5C30000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: unsecapp.exe, 00000009.00000002.467619289.000001A3A5C30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: unsecapp.exe, 00000009.00000002.467619289.000001A3A5C30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: unsecapp.exe, 00000009.00000002.467619289.000001A3A5C30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC4C25 cpuid 0_2_00DC4C25
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\gVz4ueFL8n.exe Code function: 0_2_00DC5126 GetUserNameW, 0_2_00DC5126