Analysis Report 31.exe

Overview

General Information

Sample Name:	31.exe
Analysis ID:	321991
MD5:	af8e86c5d4198549f6375df9378f983c
SHA1:	7ab5ed449b891bd4899fba62d027a2cc26a05e6f
SHA256:	7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
Most interesting Screenshot:

Detection

Ursnif AgentTesla FormBook Wadhrama

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Add file from suspicious location to autostart registry

Yara detected Ursnif

Yara detected AgentTesla

Yara detected FormBook

Yara detected Wadhrama Ransomware

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Contains functionality to detect sleep reduction / modifications

Contains functionality to hide a thread from the debugger

Contains functionality to log keystrokes (.Net Source)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious names

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates files in the recycle bin to hide itself

Creates multiple autostart registry keys

Drops PE files to the startup folder

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes registry values via WMI

Yara detected Allatori_JAR_Obfuscator

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file contains strange resources

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses cacls to modify the permissions of files

Uses reg.exe to modify the Windows registry

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 31.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\10.exe	Avira: detection malicious, Label: TR/Kryptik.pwjxv
Source: C:\Users\user\AppData\Roaming\2.exe	Avira: detection malicious, Label: DR/Delphi.vmrvj
Source: C:\Users\user\AppData\Roaming\21.exe	Avira: detection malicious, Label: TR/AD.AgentTesla.vbfpc
Source: C:\Users\user\AppData\Roaming\12.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Roaming\17.exe	Avira: detection malicious, Label: TR/AD.StellarStealer.cqjpr
Source: C:\Users\user\AppData\Roaming\20.exe	Avira: detection malicious, Label: TR/AD.VBCryptor.fqgod
Source: C:\Users\user\AppData\Roaming\22.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.nkkbi
Source: C:\Users\user\AppData\Roaming\19.exe	Avira: detection malicious, Label: TR/AD.VBCryptor.dplvu
Source: C:\Users\user\AppData\Roaming\14.exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.zbsyd
Source: C:\Users\user\AppData\Roaming\13.exe	Avira: detection malicious, Label: TR/AD.VBCryptor.zlvmk
Source: C:\Users\user\AppData\Roaming\18.exe	Avira: detection malicious, Label: TR/AD.Swotter.pxvkb
Source: C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe	Avira: detection malicious, Label: TR/AD.VBCryptor.zlvmk
Source: C:\Users\user\AppData\Roaming\16.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\15.exe	Avira: detection malicious, Label: TR/AD.VBCryptor.qvkoq
Source: C:\Users\user\AppData\Roaming\11.exe	Avira: detection malicious, Label: TR/AD.Swotter.vtqjg

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe	Metadefender: Detection: 81%	Perma Link
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe	Metadefender: Detection: 18%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\10.exe	Metadefender: Detection: 27%	Perma Link
Source: C:\Users\user\AppData\Roaming\10.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\11.exe	Metadefender: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Roaming\11.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\12.exe	Metadefender: Detection: 51%	Perma Link
Source: C:\Users\user\AppData\Roaming\12.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\13.exe	Metadefender: Detection: 18%	Perma Link
Source: C:\Users\user\AppData\Roaming\13.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\14.exe	Metadefender: Detection: 21%	Perma Link
Source: C:\Users\user\AppData\Roaming\14.exe	ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Roaming\15.exe	Metadefender: Detection: 16%	Perma Link
Source: C:\Users\user\AppData\Roaming\15.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: 31.exe	Virustotal: Detection: 74%	Perma Link
Source: 31.exe	Metadefender: Detection: 21%	Perma Link
Source: 31.exe	ReversingLabs: Detection: 77%

Yara detected FormBook

Source: Yara match	File source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\10.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\12.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\17.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\22.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\14.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\18.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\16.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\11.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.2.exe.26d0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.7.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.cciav
Source: 4.2.2.exe.23f0000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.0.13.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.zlvmk
Source: 24.0.13.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.zlvmk
Source: 28.0.15.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.qvkoq
Source: 6.0.3.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.ulxin
Source: 22.2.12.exe.fd0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 12.2.6.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 22.0.12.exe.fd0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 12.0.6.exe.400000.0.unpack	Avira: Label: TR/AD.UrsnifDropper.xapkh
Source: 18.2.2.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 23.0.3.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.ulxin
Source: 36.2.13.exe.22c0000.0.unpack	Avira: Label: TR/AD.VBCryptor.zlvmk
Source: 18.1.2.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 31.0.16.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 31.2.16.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00408420 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,		4_2_00408420
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_004050AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		4_2_004050AC

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4x nop then cmp word ptr [ebp-00000128h], 07E0h	4_2_0045E4B0
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4x nop then movzx eax, word ptr [ebp-00000126h]	4_2_0045E4B0
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 5x nop then clc	13_2_020C2532
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 6x nop then clc	13_2_020C2574
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 5x nop then clc	13_2_020C2574
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 4x nop then pushad	13_2_020C2574
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 4x nop then mov eax, 00000539h	13_2_020C25A1

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.201.225.248 195.201.225.248
Source: Joe Sandbox View	IP Address: 104.20.22.46 104.20.22.46

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View	JA3 fingerprint: d2935c58fe676744fecc8614ee5356c7

Source: unknown

DNS traffic detected: queries for: nodejs.org

Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2011/12/glossy-spot-penis.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2011/12/penis-rash.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2011/12/penis-spot_3.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/01/inflamed-penis-lips.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/02/penis-pubic-area.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/02/penis_52.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/06/penis-bumps_5.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2013/03/penis-image-1.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://25.media.tumblr.com/75120c9da3c7b904df34a194c3e2743a/tumblr_mi5079TNHE1qktt95o1_500.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://b.vimeocdn.com/ts/433/181/433181005_640.jpg
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://i.imgur.com/MXfKOl.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://i.imgur.com/tbnq3.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://i845.photobucket.com/albums/ab17/mtgman123/Herpes-On-Penis-6_zpsfd9dc212.jpg
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://origin-ars.els-cdn.com/content/image/1-s2.0-S019096220501488X-gr5.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://thebigredapple.net/wp-content/uploads/2009/07/scott_reeder_american_dick.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://thi.uloz.to/a/9/1/a91a3952080abe8277b7e881d9651ff5.640x360.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/0/0d/Penis_ultra06.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/1/14/Erect_penis3.png
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/2/2c/Normal_erect_penis.JPG
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/c/cd/Human_Penis.png
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.dermnet.com/dn2/allJPG3/Lichen-Sclerosus-Penis-37.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Outcome_after_penile_reconstruction.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma1_001.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma2_001.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma3_001.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.meatspin.com
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.pegym.com/forums/members/vikingman-albums-my-penis-before-i-start-jp90-picture17193-still
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.pegym.com/wp-content/uploads/2013/05/HappyPenis1.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.photosez.com/images/challenges/answers/1853/f41ee1953a2d72b1d9fdda355e3405d9_00000000-000
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.xnview.comJ
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://xaf.xanga.com/54be253506d37284803879/z227269259.jpg
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0B
Source: 6.exe	String found in binary or memory: https://sibelikinciel.xyz

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6.exe PID: 6288, type: MEMORY

Contains functionality to log keystrokes (.Net Source)

Source: 9.0.5.exe.2e0000.0.unpack, WindowsLocalHostProcess.cs	.Net Code: SetHook
Source: 9.2.5.exe.2e0000.0.unpack, WindowsLocalHostProcess.cs	.Net Code: SetHook

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_00420D5C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

4_2_00420D5C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0043D010 GetKeyboardState,

4_2_0043D010

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6.exe PID: 6288, type: MEMORY

Yara detected FormBook

Source: Yara match	File source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Wadhrama Ransomware

Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\16.exe, type: DROPPED
Source: Yara match	File source: 31.0.16.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.16.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.244904275.00000000037FB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000003.245364175.0000000003820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000003.243963950.00000000037E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\16.exe, type: DROPPED	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 31.0.16.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 31.2.16.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large array initializations

Source: feeed.exe.15.dr, iKu002a.cs	Large array initialization: Y%i: array initializer size 58880
Source: 15.2.8.exe.7e0000.0.unpack, iKu002a.cs	Large array initialization: Y%i: array initializer size 58880
Source: 15.0.8.exe.7e0000.0.unpack, iKu002a.cs	Large array initialization: Y%i: array initializer size 58880

Writes registry values via WMI

Source: C:\Users\user\AppData\Roaming\6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00462850 NtCreateSection,	4_2_00462850
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045AAF4 NtdllDefWindowProc_A,	4_2_0045AAF4
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045B29C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	4_2_0045B29C
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045B34C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	4_2_0045B34C
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00429DF8 NtdllDefWindowProc_A,	4_2_00429DF8
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0044FE20 GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	4_2_0044FE20
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0043FF8C NtdllDefWindowProc_A,GetCapture,	4_2_0043FF8C
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C2A35 NtProtectVirtualMemory,	13_2_020C2A35
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C0F76 NtWriteVirtualMemory,	13_2_020C0F76
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C0192 EnumWindows,NtSetInformationThread,TerminateProcess,	13_2_020C0192
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C112C NtWriteVirtualMemory,	13_2_020C112C

Creates files inside the system directory

Source: C:\Users\user\AppData\Roaming\16.exe

File created: C:\Windows\System32\16.exe

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00412181	4_2_00412181
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00454FEC	4_2_00454FEC
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0044FE20	4_2_0044FE20
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401DE8	6_2_00401DE8
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401E86	6_2_00401E86
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401E97	6_2_00401E97
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401EA9	6_2_00401EA9
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401EB5	6_2_00401EB5
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401EBD	6_2_00401EBD
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401DF3	13_2_00401DF3
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_004015B0	13_2_004015B0
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401E7E	13_2_00401E7E
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401E38	13_2_00401E38
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EC3	13_2_00401EC3
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401ECC	13_2_00401ECC
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EF0	13_2_00401EF0
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EF3	13_2_00401EF3
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EFC	13_2_00401EFC
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EFF	13_2_00401EFF
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EA2	13_2_00401EA2
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EA5	13_2_00401EA5
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EAC	13_2_00401EAC
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EB4	13_2_00401EB4
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EB7	13_2_00401EB7
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401F5C	13_2_00401F5C
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401F08	13_2_00401F08

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe 307077D1A3FD2B53B94D88268E31B0B89B8C0C2EE9DBB46041D3E2395243F1B3

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: String function: 00403FD4 appears 68 times
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: String function: 004060E0 appears 63 times

PE file contains executable resources (Code or Archives)

Source: 2.exe.0.dr	Static PE information: Resource name: RT_CURSOR type: PARIX executable
Source: 2.exe.0.dr	Static PE information: Resource name: RT_CURSOR type: DOS executable (COM, 0x8C-variant)
Source: 2.exe.0.dr	Static PE information: Resource name: RT_CURSOR type: 370 XA sysV pure executable not stripped - 5.2 format

PE file contains strange resources

Source: 2.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Styltendeschris.exe.36.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 31.exe, 00000000.00000003.244922847.000000000380A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameslettebeskyttet.exe vs 31.exe
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamegasforsy.exe vs 31.exe
Source: 31.exe, 00000000.00000003.244046307.000000000331D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWindows Local Host Process.exeX vs 31.exe
Source: 31.exe, 00000000.00000003.612340393.0000000003EFC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBORTSK.exe vs 31.exe
Source: 31.exe, 00000000.00000003.245407775.000000000382D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameGELEN.exe vs 31.exe

Uses reg.exe to modify the Windows registry

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'

Yara signature match

Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.244904275.00000000037FB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.245364175.0000000003820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.243963950.00000000037E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\Users\user\AppData\Roaming\16.exe, type: DROPPED	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 31.0.16.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 31.2.16.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: 16.exe.31.dr	Static PE information: Section: .data ZLIB complexity 0.991606212798
Source: 16.exe0.31.dr	Static PE information: Section: .data ZLIB complexity 0.991606212798
Source: 16.exe1.31.dr	Static PE information: Section: .data ZLIB complexity 0.991606212798

Source: 19.2.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.0.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 21.2.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.2.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 21.0.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 22.2.12.exe.fd0000.0.unpack, License.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 22.2.12.exe.fd0000.0.unpack, License.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 22.2.12.exe.fd0000.0.unpack, License.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.evad.winEXE@79/168@120/2

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0041DE44 GetLastError,FormatMessageA,

4_2_0041DE44

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_004085D2 GetDiskFreeSpaceA,

4_2_004085D2

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0045F0D5 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,

4_2_0045F0D5

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_00416430 FindResourceA,LoadResource,SizeofResource,LockResource,

4_2_00416430

Source: C:\Users\user\Desktop\31.exe

File created: C:\Users\user\AppData\Roaming\1.jar

Jump to behavior

Source: C:\Users\user\Desktop\31.exe

File created: C:\Users\user\AppData\Local\Temp\F93E.tmp

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat C:\Users\user\Desktop\31.exe'

Source: C:\Users\user\AppData\Roaming\2.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Roaming\3.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\7.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\15.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\AppData\Roaming\5.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\9.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\11.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\12.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\12.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\12.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\18.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\6.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process

Source: C:\Users\user\Desktop\31.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: 31.exe	Virustotal: Detection: 74%
Source: 31.exe	Metadefender: Detection: 21%
Source: 31.exe	ReversingLabs: Detection: 77%

Source: unknown	Process created: C:\Users\user\Desktop\31.exe 'C:\Users\user\Desktop\31.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat C:\Users\user\Desktop\31.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\1.jar'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe
Source: unknown	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: unknown	Process created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\4.exe C:\Users\user\AppData\Roaming\4.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\5.exe C:\Users\user\AppData\Roaming\5.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\6.exe C:\Users\user\AppData\Roaming\6.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\7.exe C:\Users\user\AppData\Roaming\7.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\8.exe C:\Users\user\AppData\Roaming\8.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\9.exe C:\Users\user\AppData\Roaming\9.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\10.exe C:\Users\user\AppData\Roaming\10.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\11.exe C:\Users\user\AppData\Roaming\11.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\12.exe C:\Users\user\AppData\Roaming\12.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\14.exe C:\Users\user\AppData\Roaming\14.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\15.exe C:\Users\user\AppData\Roaming\15.exe
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\16.exe C:\Users\user\AppData\Roaming\16.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\17.exe C:\Users\user\AppData\Roaming\17.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe
Source: unknown	Process created: C:\Windows\System32\mode.com mode con cp select=1251
Source: unknown	Process created: C:\Users\user\AppData\Roaming\18.exe C:\Users\user\AppData\Roaming\18.exe
Source: C:\Users\user\Desktop\31.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat C:\Users\user\Desktop\31.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\1.jar'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\4.exe C:\Users\user\AppData\Roaming\4.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\5.exe C:\Users\user\AppData\Roaming\5.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\6.exe C:\Users\user\AppData\Roaming\6.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\7.exe C:\Users\user\AppData\Roaming\7.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\8.exe C:\Users\user\AppData\Roaming\8.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\9.exe C:\Users\user\AppData\Roaming\9.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\10.exe C:\Users\user\AppData\Roaming\10.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\11.exe C:\Users\user\AppData\Roaming\11.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\12.exe C:\Users\user\AppData\Roaming\12.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\14.exe C:\Users\user\AppData\Roaming\14.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\15.exe C:\Users\user\AppData\Roaming\15.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\16.exe C:\Users\user\AppData\Roaming\16.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\17.exe C:\Users\user\AppData\Roaming\17.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\18.exe C:\Users\user\AppData\Roaming\18.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M	Jump to behavior
Source: C:\Users\user\AppData\Roaming\2.exe	Process created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	Process created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\4.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\7.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
Source: C:\Users\user\AppData\Roaming\13.exe	Process created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
Source: C:\Users\user\AppData\Roaming\15.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\16.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode con cp select=1251
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\31.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\8.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: 31.exe

Static file information: File size 13128192 > 1048576

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 31.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xc70000

Source:

Binary string: c:\Users\Leon Li\Documents\Visual Studio 2012\Projects\A Logger\Windows Local Host Process\obj\Debug\Windows Local Host Process.pdb source: 5.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Roaming\6.exe	Unpacked PE file: 12.2.6.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\2.exe	Unpacked PE file: 18.2.2.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
Source: C:\Users\user\AppData\Roaming\10.exe	Unpacked PE file: 20.2.10.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\14.exe	Unpacked PE file: 27.2.14.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\17.exe	Unpacked PE file: 33.2.17.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Roaming\6.exe	Unpacked PE file: 12.2.6.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\10.exe	Unpacked PE file: 20.2.10.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\14.exe	Unpacked PE file: 27.2.14.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\17.exe	Unpacked PE file: 33.2.17.exe.400000.0.unpack

.NET source code contains potential unpacker

Source: 19.2.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.cs	.Net Code: ShipDestroy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.cs	.Net Code: ShipDestroy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.12.exe.fd0000.0.unpack, License.cs	.Net Code: ValidateSignature System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.12.exe.fd0000.0.unpack, License.cs	.Net Code: GizmoDecompress System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.0.12.exe.fd0000.0.unpack, License.cs	.Net Code: ValidateSignature System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.0.12.exe.fd0000.0.unpack, License.cs	.Net Code: GizmoDecompress System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Yara detected Allatori_JAR_Obfuscator

Source: Yara match	File source: 00000003.00000003.277524584.0000000002178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.262372271.0000000002178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.250295715.0000000002091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.649277074.0000000002178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.289049530.0000000002178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.334171362.0000000002178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\1.jar, type: DROPPED

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_00426470 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_00426470

PE file contains sections with non-standard names

Source: 31.exe	Static PE information: section name: .code
Source: 4.dll.8.dr	Static PE information: section name: .didata

Persistence and Installation Behavior:

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Roaming\16.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Roaming\16.exe

File created: C:\Windows\System32\16.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4 C:\Users\user\AppData\Local\Temp\Dibromob\PRECONCE.vbs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4 C:\Users\user\AppData\Local\Temp\Dibromob\PRECONCE.vbs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.vbs
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.vbs

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\16.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.exe
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed
Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\16.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\16.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\16.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\16.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe
Source: C:\Users\user\AppData\Roaming\16.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\16.exe

Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed
Source: C:\Users\user\AppData\Roaming\16.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.exe
Source: C:\Users\user\AppData\Roaming\16.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.exe

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6.exe PID: 6288, type: MEMORY

Creates files in the recycle bin to hide itself

Source: C:\Users\user\AppData\Roaming\16.exe

File created: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Roaming\8.exe

File opened: C:\Users\user\AppData\Roaming\8.exe:Zone.Identifier read attributes | delete

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045AB7C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	4_2_0045AB7C
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_004247B8 IsIconic,GetWindowPlacement,GetWindowRect,	4_2_004247B8
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00442888 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	4_2_00442888
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045B29C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	4_2_0045B29C
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045B34C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	4_2_0045B34C
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_004416B0 IsIconic,GetCapture,	4_2_004416B0
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00457BA4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	4_2_00457BA4
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00441F64 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	4_2_00441F64

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\2.exe

4_2_00426470

Uses cacls to modify the permissions of files

Source: unknown

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_004365DC

4_2_004365DC

Tries to detect Any.run

Source: C:\Users\user\AppData\Roaming\3.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\7.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\7.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Roaming\3.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Roaming\13.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Roaming\13.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Roaming\15.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Roaming\15.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Roaming\13.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Roaming\13.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 7.exe	Binary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: 7.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\2.exe	RDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\2.exe	RDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\15.exe	RDTSC instruction interceptor: First address: 00000000021524B4 second address: 00000000021524D6 instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 lfence 0x00000006 shl edx, 20h 0x00000009 or edx, eax 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 fnop 0x00000015 cpuid 0x00000017 bt ecx, 1Fh 0x0000001b jc 00007F787038E503h 0x0000001d clc 0x0000001e popad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\15.exe	RDTSC instruction interceptor: First address: 00000000021524D6 second address: 00000000021524B4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F7870ADEC2Ah 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F7870ADEC53h 0x0000001b push ecx 0x0000001c call 00007F7870ADEC7Eh 0x00000021 clc 0x00000022 lfence 0x00000025 clc 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\7.exe	RDTSC instruction interceptor: First address: 00000000020C24FC second address: 00000000020C251D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d nop 0x0000000e mov eax, 00000001h 0x00000013 nop 0x00000014 cpuid 0x00000016 clc 0x00000017 bt ecx, 1Fh 0x0000001b jc 00007F787038E502h 0x0000001d popad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\7.exe	RDTSC instruction interceptor: First address: 00000000020C251D second address: 00000000020C24FC instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F7870ADEC29h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F7870ADEC53h 0x0000001b push ecx 0x0000001c call 00007F7870ADEC7Eh 0x00000021 fnop 0x00000023 lfence 0x00000026 fnop 0x00000028 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\7.exe

Code function: 13_2_020C24F5 rdtsc

13_2_020C24F5

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

4_2_0045A0EC

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\8.exe

Thread delayed: delay time: 922337203685477

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_004365DC

4_2_004365DC

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0045E4B0 GetSystemTime followed by cmp: cmp word ptr [ebp-00000128h], 07e0h and CTI: jnc 0045E4E1h

4_2_0045E4B0

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00408420 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,		4_2_00408420
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_004050AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		4_2_004050AC

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0041E3D4 GetSystemInfo,

4_2_0041E3D4

Source: 7.exe	Binary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
Source: 2.exe	Binary or memory string: VMwareVMware
Source: 7.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\AppData\Roaming\7.exe

Code function: 13_2_020C0192 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000

13_2_020C0192

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\2.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\AppData\Roaming\2.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\2.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\7.exe

Code function: 13_2_020C24F5 rdtsc

13_2_020C24F5

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\2.exe

4_2_00426470

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C220A mov eax, dword ptr fs:[00000030h]	13_2_020C220A
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C277D mov eax, dword ptr fs:[00000030h]	13_2_020C277D
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C139C mov eax, dword ptr fs:[00000030h]	13_2_020C139C
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C2431 mov eax, dword ptr fs:[00000030h]	13_2_020C2431
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C08BE mov eax, dword ptr fs:[00000030h]	13_2_020C08BE
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C0CC8 mov eax, dword ptr fs:[00000030h]	13_2_020C0CC8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\5.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\2.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\2.exe

Thread register set: target process: 3472

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_00464127 cpuid

4_2_00464127

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_00405264
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetLocaleInfoA,GetACP,	4_2_0040C628
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetLocaleInfoA,	4_2_0040AFC4
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetLocaleInfoA,	4_2_0040B010
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_00405370
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetLocaleInfoA,	4_2_00405B8E
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetLocaleInfoA,	4_2_00405B90

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0045E4B0 GetSystemTime,RtlExitUserThread,GetSystemTimeAsFileTime,GetModuleHandleA,GetProcAddress,RtlExitUserThread,

4_2_0045E4B0

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_004474D0 GetVersion,

4_2_004474D0

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\6.exe

WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6.exe PID: 6288, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0000000F.00000003.506552159.00000000060E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.260831311.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.515536645.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\feeed.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\8.exe, type: DROPPED
Source: Yara match	File source: 15.2.8.exe.7e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.8.exe.7e0000.0.unpack, type: UNPACKEDPE

Yara detected FormBook

Source: Yara match	File source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6.exe PID: 6288, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0000000F.00000003.506552159.00000000060E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.260831311.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.515536645.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\feeed.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\8.exe, type: DROPPED
Source: Yara match	File source: 15.2.8.exe.7e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.8.exe.7e0000.0.unpack, type: UNPACKEDPE

Yara detected FormBook

Source: Yara match	File source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
195.201.225.248	unknown	Germany		24940	HETZNER-ASDE	false
104.20.22.46	unknown	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
shawcn1.sytes.net	0.0.0.0	true
nodejs.org	104.20.22.46	true
smtp.yandex.ru	77.88.21.158	true
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com	3.223.115.185	true
runeurotoolz.hopto.org	0.0.0.0	true
telete.in	195.201.225.248	true
sensomaticloadcell.com	148.66.138.171	true
www.bestmedicationstore.com	unknown	unknown
ffvgdsv.ug	unknown	unknown
www.fisioservice.com	unknown	unknown
smtp.ecojett.co	unknown	unknown
smtp.yandex.com	unknown	unknown
tdaztq.by.files.1drv.com	unknown	unknown
onedrive.live.com	unknown	unknown
www.sensomaticloadcell.com	unknown	unknown
sibelikinciel.xyz	unknown	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 31.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\10.exe	Avira: detection malicious, Label: TR/Kryptik.pwjxv
Source: C:\Users\user\AppData\Roaming\2.exe	Avira: detection malicious, Label: DR/Delphi.vmrvj
Source: C:\Users\user\AppData\Roaming\21.exe	Avira: detection malicious, Label: TR/AD.AgentTesla.vbfpc
Source: C:\Users\user\AppData\Roaming\12.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Roaming\17.exe	Avira: detection malicious, Label: TR/AD.StellarStealer.cqjpr
Source: C:\Users\user\AppData\Roaming\20.exe	Avira: detection malicious, Label: TR/AD.VBCryptor.fqgod
Source: C:\Users\user\AppData\Roaming\22.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.nkkbi
Source: C:\Users\user\AppData\Roaming\19.exe	Avira: detection malicious, Label: TR/AD.VBCryptor.dplvu
Source: C:\Users\user\AppData\Roaming\14.exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.zbsyd
Source: C:\Users\user\AppData\Roaming\13.exe	Avira: detection malicious, Label: TR/AD.VBCryptor.zlvmk
Source: C:\Users\user\AppData\Roaming\18.exe	Avira: detection malicious, Label: TR/AD.Swotter.pxvkb
Source: C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe	Avira: detection malicious, Label: TR/AD.VBCryptor.zlvmk
Source: C:\Users\user\AppData\Roaming\16.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\15.exe	Avira: detection malicious, Label: TR/AD.VBCryptor.qvkoq
Source: C:\Users\user\AppData\Roaming\11.exe	Avira: detection malicious, Label: TR/AD.Swotter.vtqjg

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe	Metadefender: Detection: 81%	Perma Link
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe	Metadefender: Detection: 18%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\10.exe	Metadefender: Detection: 27%	Perma Link
Source: C:\Users\user\AppData\Roaming\10.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\11.exe	Metadefender: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Roaming\11.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\12.exe	Metadefender: Detection: 51%	Perma Link
Source: C:\Users\user\AppData\Roaming\12.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\13.exe	Metadefender: Detection: 18%	Perma Link
Source: C:\Users\user\AppData\Roaming\13.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\14.exe	Metadefender: Detection: 21%	Perma Link
Source: C:\Users\user\AppData\Roaming\14.exe	ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Roaming\15.exe	Metadefender: Detection: 16%	Perma Link
Source: C:\Users\user\AppData\Roaming\15.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: 31.exe	Virustotal: Detection: 74%	Perma Link
Source: 31.exe	Metadefender: Detection: 21%	Perma Link
Source: 31.exe	ReversingLabs: Detection: 77%

Yara detected FormBook

Source: Yara match	File source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\10.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\12.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\17.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\22.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\14.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\18.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\16.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\11.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.2.exe.26d0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.7.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.cciav
Source: 4.2.2.exe.23f0000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.0.13.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.zlvmk
Source: 24.0.13.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.zlvmk
Source: 28.0.15.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.qvkoq
Source: 6.0.3.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.ulxin
Source: 22.2.12.exe.fd0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 12.2.6.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 22.0.12.exe.fd0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 12.0.6.exe.400000.0.unpack	Avira: Label: TR/AD.UrsnifDropper.xapkh
Source: 18.2.2.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 23.0.3.exe.400000.0.unpack	Avira: Label: TR/AD.VBCryptor.ulxin
Source: 36.2.13.exe.22c0000.0.unpack	Avira: Label: TR/AD.VBCryptor.zlvmk
Source: 18.1.2.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 31.0.16.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 31.2.16.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00408420 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,		4_2_00408420
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_004050AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		4_2_004050AC

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4x nop then cmp word ptr [ebp-00000128h], 07E0h	4_2_0045E4B0
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4x nop then movzx eax, word ptr [ebp-00000126h]	4_2_0045E4B0
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 5x nop then clc	13_2_020C2532
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 6x nop then clc	13_2_020C2574
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 5x nop then clc	13_2_020C2574
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 4x nop then pushad	13_2_020C2574
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 4x nop then mov eax, 00000539h	13_2_020C25A1

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.201.225.248 195.201.225.248
Source: Joe Sandbox View	IP Address: 104.20.22.46 104.20.22.46

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View	JA3 fingerprint: d2935c58fe676744fecc8614ee5356c7

Source: unknown

DNS traffic detected: queries for: nodejs.org

Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2011/12/glossy-spot-penis.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2011/12/penis-rash.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2011/12/penis-spot_3.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/01/inflamed-penis-lips.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/02/penis-pubic-area.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/02/penis_52.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2012/06/penis-bumps_5.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://0.tqn.com/w/experts/Venereal-Diseases-2106/2013/03/penis-image-1.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://25.media.tumblr.com/75120c9da3c7b904df34a194c3e2743a/tumblr_mi5079TNHE1qktt95o1_500.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://b.vimeocdn.com/ts/433/181/433181005_640.jpg
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://i.imgur.com/MXfKOl.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://i.imgur.com/tbnq3.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://i845.photobucket.com/albums/ab17/mtgman123/Herpes-On-Penis-6_zpsfd9dc212.jpg
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://origin-ars.els-cdn.com/content/image/1-s2.0-S019096220501488X-gr5.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://thebigredapple.net/wp-content/uploads/2009/07/scott_reeder_american_dick.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://thi.uloz.to/a/9/1/a91a3952080abe8277b7e881d9651ff5.640x360.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/0/0d/Penis_ultra06.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/1/14/Erect_penis3.png
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/2/2c/Normal_erect_penis.JPG
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://upload.wikimedia.org/wikipedia/commons/c/cd/Human_Penis.png
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.dermnet.com/dn2/allJPG3/Lichen-Sclerosus-Penis-37.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Outcome_after_penile_reconstruction.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma1_001.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma2_001.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.genitalsurgerybelgrade.com/admin/uploads/Penile_carcinoma3_001.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.meatspin.com
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.pegym.com/forums/members/vikingman-albums-my-penis-before-i-start-jp90-picture17193-still
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.pegym.com/wp-content/uploads/2013/05/HappyPenis1.jpg
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.photosez.com/images/challenges/answers/1853/f41ee1953a2d72b1d9fdda355e3405d9_00000000-000
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.xnview.comJ
Source: 31.exe, 00000000.00000003.244498242.0000000003BDB000.00000004.00000001.sdmp	String found in binary or memory: http://xaf.xanga.com/54be253506d37284803879/z227269259.jpg
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0B
Source: 6.exe	String found in binary or memory: https://sibelikinciel.xyz

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6.exe PID: 6288, type: MEMORY

Contains functionality to log keystrokes (.Net Source)

Source: 9.0.5.exe.2e0000.0.unpack, WindowsLocalHostProcess.cs	.Net Code: SetHook
Source: 9.2.5.exe.2e0000.0.unpack, WindowsLocalHostProcess.cs	.Net Code: SetHook

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_00420D5C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

4_2_00420D5C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0043D010 GetKeyboardState,

4_2_0043D010

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6.exe PID: 6288, type: MEMORY

Yara detected FormBook

Source: Yara match	File source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Wadhrama Ransomware

Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\16.exe, type: DROPPED
Source: Yara match	File source: 31.0.16.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.16.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.244904275.00000000037FB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000003.245364175.0000000003820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000000.00000003.243963950.00000000037E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\16.exe, type: DROPPED	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 31.0.16.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 31.2.16.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Wadhrama Ransomware via Imphash Author: Florian Roth
Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large array initializations

Source: feeed.exe.15.dr, iKu002a.cs	Large array initialization: Y%i: array initializer size 58880
Source: 15.2.8.exe.7e0000.0.unpack, iKu002a.cs	Large array initialization: Y%i: array initializer size 58880
Source: 15.0.8.exe.7e0000.0.unpack, iKu002a.cs	Large array initialization: Y%i: array initializer size 58880

Writes registry values via WMI

Source: C:\Users\user\AppData\Roaming\6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Roaming\6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Roaming\6.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00462850 NtCreateSection,	4_2_00462850
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045AAF4 NtdllDefWindowProc_A,	4_2_0045AAF4
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045B29C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	4_2_0045B29C
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045B34C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	4_2_0045B34C
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00429DF8 NtdllDefWindowProc_A,	4_2_00429DF8
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0044FE20 GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	4_2_0044FE20
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0043FF8C NtdllDefWindowProc_A,GetCapture,	4_2_0043FF8C
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C2A35 NtProtectVirtualMemory,	13_2_020C2A35
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C0F76 NtWriteVirtualMemory,	13_2_020C0F76
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C0192 EnumWindows,NtSetInformationThread,TerminateProcess,	13_2_020C0192
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C112C NtWriteVirtualMemory,	13_2_020C112C

Creates files inside the system directory

Source: C:\Users\user\AppData\Roaming\16.exe

File created: C:\Windows\System32\16.exe

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00412181	4_2_00412181
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00454FEC	4_2_00454FEC
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0044FE20	4_2_0044FE20
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401DE8	6_2_00401DE8
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401E86	6_2_00401E86
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401E97	6_2_00401E97
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401EA9	6_2_00401EA9
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401EB5	6_2_00401EB5
Source: C:\Users\user\AppData\Roaming\3.exe	Code function: 6_2_00401EBD	6_2_00401EBD
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401DF3	13_2_00401DF3
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_004015B0	13_2_004015B0
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401E7E	13_2_00401E7E
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401E38	13_2_00401E38
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EC3	13_2_00401EC3
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401ECC	13_2_00401ECC
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EF0	13_2_00401EF0
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EF3	13_2_00401EF3
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EFC	13_2_00401EFC
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EFF	13_2_00401EFF
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EA2	13_2_00401EA2
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EA5	13_2_00401EA5
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EAC	13_2_00401EAC
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EB4	13_2_00401EB4
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401EB7	13_2_00401EB7
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401F5C	13_2_00401F5C
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_00401F08	13_2_00401F08

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe 307077D1A3FD2B53B94D88268E31B0B89B8C0C2EE9DBB46041D3E2395243F1B3

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: String function: 00403FD4 appears 68 times
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: String function: 004060E0 appears 63 times

PE file contains executable resources (Code or Archives)

Source: 2.exe.0.dr	Static PE information: Resource name: RT_CURSOR type: PARIX executable
Source: 2.exe.0.dr	Static PE information: Resource name: RT_CURSOR type: DOS executable (COM, 0x8C-variant)
Source: 2.exe.0.dr	Static PE information: Resource name: RT_CURSOR type: 370 XA sysV pure executable not stripped - 5.2 format

PE file contains strange resources

Source: 2.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Styltendeschris.exe.36.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 31.exe, 00000000.00000003.244922847.000000000380A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameslettebeskyttet.exe vs 31.exe
Source: 31.exe, 00000000.00000003.243998554.00000000037F3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamegasforsy.exe vs 31.exe
Source: 31.exe, 00000000.00000003.244046307.000000000331D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWindows Local Host Process.exeX vs 31.exe
Source: 31.exe, 00000000.00000003.612340393.0000000003EFC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBORTSK.exe vs 31.exe
Source: 31.exe, 00000000.00000003.245407775.000000000382D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameGELEN.exe vs 31.exe

Uses reg.exe to modify the Windows registry

Source: unknown

Yara signature match

Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.244904275.00000000037FB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.245364175.0000000003820000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.243963950.00000000037E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe, type: DROPPED	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: C:\Users\user\AppData\Roaming\16.exe, type: DROPPED	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 31.0.16.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 31.2.16.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Ransomware_Wadhrama date = 2019-04-07, hash1 = 557c68e38dce7ea10622763c10a1b9f853c236b3291cd4f9b32723e8714e5576, author = Florian Roth, description = Detects Wadhrama Ransomware via Imphash, reference = Internal Research
Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: 16.exe.31.dr	Static PE information: Section: .data ZLIB complexity 0.991606212798
Source: 16.exe0.31.dr	Static PE information: Section: .data ZLIB complexity 0.991606212798
Source: 16.exe1.31.dr	Static PE information: Section: .data ZLIB complexity 0.991606212798

Source: 19.2.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.0.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 21.2.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.2.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 21.0.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.0.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 22.2.12.exe.fd0000.0.unpack, License.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 22.2.12.exe.fd0000.0.unpack, License.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 22.2.12.exe.fd0000.0.unpack, License.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.evad.winEXE@79/168@120/2

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0041DE44 GetLastError,FormatMessageA,

4_2_0041DE44

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_004085D2 GetDiskFreeSpaceA,

4_2_004085D2

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0045F0D5 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,

4_2_0045F0D5

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_00416430 FindResourceA,LoadResource,SizeofResource,LockResource,

4_2_00416430

Source: C:\Users\user\Desktop\31.exe

File created: C:\Users\user\AppData\Roaming\1.jar

Jump to behavior

Source: C:\Users\user\Desktop\31.exe

File created: C:\Users\user\AppData\Local\Temp\F93E.tmp

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat C:\Users\user\Desktop\31.exe'

Source: C:\Users\user\AppData\Roaming\2.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Roaming\3.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\7.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\15.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Users\user\AppData\Roaming\5.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\9.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\11.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\12.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\12.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\12.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\18.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\6.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process

Source: C:\Users\user\Desktop\31.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: 31.exe	Virustotal: Detection: 74%
Source: 31.exe	Metadefender: Detection: 21%
Source: 31.exe	ReversingLabs: Detection: 77%

Source: unknown	Process created: C:\Users\user\Desktop\31.exe 'C:\Users\user\Desktop\31.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat C:\Users\user\Desktop\31.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\1.jar'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe
Source: unknown	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: unknown	Process created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\4.exe C:\Users\user\AppData\Roaming\4.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\5.exe C:\Users\user\AppData\Roaming\5.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\6.exe C:\Users\user\AppData\Roaming\6.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\7.exe C:\Users\user\AppData\Roaming\7.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\8.exe C:\Users\user\AppData\Roaming\8.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\9.exe C:\Users\user\AppData\Roaming\9.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\10.exe C:\Users\user\AppData\Roaming\10.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\11.exe C:\Users\user\AppData\Roaming\11.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\12.exe C:\Users\user\AppData\Roaming\12.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\14.exe C:\Users\user\AppData\Roaming\14.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\15.exe C:\Users\user\AppData\Roaming\15.exe
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\16.exe C:\Users\user\AppData\Roaming\16.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\17.exe C:\Users\user\AppData\Roaming\17.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe
Source: unknown	Process created: C:\Windows\System32\mode.com mode con cp select=1251
Source: unknown	Process created: C:\Users\user\AppData\Roaming\18.exe C:\Users\user\AppData\Roaming\18.exe
Source: C:\Users\user\Desktop\31.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\F93E.tmp\F93F.tmp\F940.bat C:\Users\user\Desktop\31.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\1.jar'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\4.exe C:\Users\user\AppData\Roaming\4.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\5.exe C:\Users\user\AppData\Roaming\5.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\6.exe C:\Users\user\AppData\Roaming\6.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\7.exe C:\Users\user\AppData\Roaming\7.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\8.exe C:\Users\user\AppData\Roaming\8.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\9.exe C:\Users\user\AppData\Roaming\9.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\10.exe C:\Users\user\AppData\Roaming\10.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\11.exe C:\Users\user\AppData\Roaming\11.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\12.exe C:\Users\user\AppData\Roaming\12.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\14.exe C:\Users\user\AppData\Roaming\14.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\15.exe C:\Users\user\AppData\Roaming\15.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\16.exe C:\Users\user\AppData\Roaming\16.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\17.exe C:\Users\user\AppData\Roaming\17.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\18.exe C:\Users\user\AppData\Roaming\18.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M	Jump to behavior
Source: C:\Users\user\AppData\Roaming\2.exe	Process created: C:\Users\user\AppData\Roaming\2.exe C:\Users\user\AppData\Roaming\2.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	Process created: C:\Users\user\AppData\Roaming\3.exe C:\Users\user\AppData\Roaming\3.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\4.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\7.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
Source: C:\Users\user\AppData\Roaming\13.exe	Process created: C:\Users\user\AppData\Roaming\13.exe C:\Users\user\AppData\Roaming\13.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\AppData\Roaming\feeed.exe'
Source: C:\Users\user\AppData\Roaming\15.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\16.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode con cp select=1251
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\31.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\8.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: 31.exe

Static file information: File size 13128192 > 1048576

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: 31.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xc70000

Source:

Binary string: c:\Users\Leon Li\Documents\Visual Studio 2012\Projects\A Logger\Windows Local Host Process\obj\Debug\Windows Local Host Process.pdb source: 5.exe

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Roaming\6.exe	Unpacked PE file: 12.2.6.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\2.exe	Unpacked PE file: 18.2.2.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
Source: C:\Users\user\AppData\Roaming\10.exe	Unpacked PE file: 20.2.10.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\14.exe	Unpacked PE file: 27.2.14.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\17.exe	Unpacked PE file: 33.2.17.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Roaming\6.exe	Unpacked PE file: 12.2.6.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\10.exe	Unpacked PE file: 20.2.10.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\14.exe	Unpacked PE file: 27.2.14.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\17.exe	Unpacked PE file: 33.2.17.exe.400000.0.unpack

.NET source code contains potential unpacker

Source: 19.2.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.cs	.Net Code: ShipDestroy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.9.exe.580000.0.unpack, _2dShooter/ControllerSettings.cs	.Net Code: ShipDestroy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.0.11.exe.3f0000.0.unpack, MY_APPLICATION/CoreBattle.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.12.exe.fd0000.0.unpack, License.cs	.Net Code: ValidateSignature System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.12.exe.fd0000.0.unpack, License.cs	.Net Code: GizmoDecompress System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.0.12.exe.fd0000.0.unpack, License.cs	.Net Code: ValidateSignature System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.0.12.exe.fd0000.0.unpack, License.cs	.Net Code: GizmoDecompress System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Yara detected Allatori_JAR_Obfuscator

Source: Yara match	File source: 00000003.00000003.277524584.0000000002178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.262372271.0000000002178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.250295715.0000000002091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.649277074.0000000002178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.289049530.0000000002178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.334171362.0000000002178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\1.jar, type: DROPPED

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\2.exe

4_2_00426470

PE file contains sections with non-standard names

Source: 31.exe	Static PE information: section name: .code
Source: 4.dll.8.dr	Static PE information: section name: .didata

Persistence and Installation Behavior:

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Roaming\16.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Roaming\16.exe

File created: C:\Windows\System32\16.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4 C:\Users\user\AppData\Local\Temp\Dibromob\PRECONCE.vbs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4 C:\Users\user\AppData\Local\Temp\Dibromob\PRECONCE.vbs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.vbs
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM C:\Users\user\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.vbs

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Roaming\16.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.exe
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed
Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Roaming\16.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\16.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\16.exe			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Roaming\16.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Roaming\16.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe
Source: C:\Users\user\AppData\Roaming\16.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\16.exe

Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Dokumen4	Jump to behavior
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
Source: C:\Users\user\AppData\Roaming\13.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce PANOREREDEOPTIM
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run feeed
Source: C:\Users\user\AppData\Roaming\16.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.exe
Source: C:\Users\user\AppData\Roaming\16.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 16.exe

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6.exe PID: 6288, type: MEMORY

Creates files in the recycle bin to hide itself

Source: C:\Users\user\AppData\Roaming\16.exe

File created: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1000\desktop.ini.id-63AF7DE9.[Bit_decrypt@protonmail.com].BOMBO

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Roaming\8.exe

File opened: C:\Users\user\AppData\Roaming\8.exe:Zone.Identifier read attributes | delete

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045AB7C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	4_2_0045AB7C
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_004247B8 IsIconic,GetWindowPlacement,GetWindowRect,	4_2_004247B8
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00442888 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	4_2_00442888
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045B29C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	4_2_0045B29C
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_0045B34C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	4_2_0045B34C
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_004416B0 IsIconic,GetCapture,	4_2_004416B0
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00457BA4 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	4_2_00457BA4
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00441F64 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	4_2_00441F64

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\2.exe

4_2_00426470

Uses cacls to modify the permissions of files

Source: unknown

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_004365DC

4_2_004365DC

Tries to detect Any.run

Source: C:\Users\user\AppData\Roaming\3.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\7.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\7.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\3.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Roaming\3.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Roaming\13.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Roaming\13.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Roaming\15.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Roaming\15.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Users\user\AppData\Roaming\13.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Roaming\13.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 7.exe	Binary or memory string: ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: 7.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\2.exe	RDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\2.exe	RDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\15.exe	RDTSC instruction interceptor: First address: 00000000021524B4 second address: 00000000021524D6 instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 lfence 0x00000006 shl edx, 20h 0x00000009 or edx, eax 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 fnop 0x00000015 cpuid 0x00000017 bt ecx, 1Fh 0x0000001b jc 00007F787038E503h 0x0000001d clc 0x0000001e popad 0x0000001f lfence 0x00000022 rdtsc
Source: C:\Users\user\AppData\Roaming\15.exe	RDTSC instruction interceptor: First address: 00000000021524D6 second address: 00000000021524B4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F7870ADEC2Ah 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F7870ADEC53h 0x0000001b push ecx 0x0000001c call 00007F7870ADEC7Eh 0x00000021 clc 0x00000022 lfence 0x00000025 clc 0x00000026 rdtsc
Source: C:\Users\user\AppData\Roaming\7.exe	RDTSC instruction interceptor: First address: 00000000020C24FC second address: 00000000020C251D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d nop 0x0000000e mov eax, 00000001h 0x00000013 nop 0x00000014 cpuid 0x00000016 clc 0x00000017 bt ecx, 1Fh 0x0000001b jc 00007F787038E502h 0x0000001d popad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Users\user\AppData\Roaming\7.exe	RDTSC instruction interceptor: First address: 00000000020C251D second address: 00000000020C24FC instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F7870ADEC29h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F7870ADEC53h 0x0000001b push ecx 0x0000001c call 00007F7870ADEC7Eh 0x00000021 fnop 0x00000023 lfence 0x00000026 fnop 0x00000028 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\7.exe

Code function: 13_2_020C24F5 rdtsc

13_2_020C24F5

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

4_2_0045A0EC

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\8.exe

Thread delayed: delay time: 922337203685477

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_004365DC

4_2_004365DC

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0045E4B0 GetSystemTime followed by cmp: cmp word ptr [ebp-00000128h], 07e0h and CTI: jnc 0045E4E1h

4_2_0045E4B0

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_00408420 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,		4_2_00408420
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: 4_2_004050AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		4_2_004050AC

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0041E3D4 GetSystemInfo,

4_2_0041E3D4

Source: 7.exe	Binary or memory string: rogram Files\Qemu-ga\qemu-ga.exe
Source: 2.exe	Binary or memory string: VMwareVMware
Source: 7.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\AppData\Roaming\7.exe

Code function: 13_2_020C0192 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000

13_2_020C0192

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Roaming\2.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\AppData\Roaming\2.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\2.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Roaming\7.exe

Code function: 13_2_020C24F5 rdtsc

13_2_020C24F5

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\2.exe

4_2_00426470

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C220A mov eax, dword ptr fs:[00000030h]	13_2_020C220A
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C277D mov eax, dword ptr fs:[00000030h]	13_2_020C277D
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C139C mov eax, dword ptr fs:[00000030h]	13_2_020C139C
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C2431 mov eax, dword ptr fs:[00000030h]	13_2_020C2431
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C08BE mov eax, dword ptr fs:[00000030h]	13_2_020C08BE
Source: C:\Users\user\AppData\Roaming\7.exe	Code function: 13_2_020C0CC8 mov eax, dword ptr fs:[00000030h]	13_2_020C0CC8

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\5.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\8.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\2.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\2.exe

Thread register set: target process: 3472

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_00464127 cpuid

4_2_00464127

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_00405264
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetLocaleInfoA,GetACP,	4_2_0040C628
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetLocaleInfoA,	4_2_0040AFC4
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetLocaleInfoA,	4_2_0040B010
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_00405370
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetLocaleInfoA,	4_2_00405B8E
Source: C:\Users\user\AppData\Roaming\2.exe	Code function: GetLocaleInfoA,	4_2_00405B90

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_0045E4B0 GetSystemTime,RtlExitUserThread,GetSystemTimeAsFileTime,GetModuleHandleA,GetProcAddress,RtlExitUserThread,

4_2_0045E4B0

Source: C:\Users\user\AppData\Roaming\2.exe

Code function: 4_2_004474D0 GetVersion,

4_2_004474D0

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Roaming\6.exe

WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6.exe PID: 6288, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0000000F.00000003.506552159.00000000060E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.260831311.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.515536645.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\feeed.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\8.exe, type: DROPPED
Source: Yara match	File source: 15.2.8.exe.7e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.8.exe.7e0000.0.unpack, type: UNPACKEDPE

Yara detected FormBook

Source: Yara match	File source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 0000000C.00000003.275324672.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.263458830.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.265066076.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287963750.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280169669.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.268420361.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.262475690.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283048211.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.277448460.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276697801.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.264167632.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.271016364.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.279389121.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289988537.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285704890.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.290870908.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286159622.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.284449736.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278795874.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.286615752.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.278137679.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.280976286.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.289104670.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.266254092.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.285038700.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.288532255.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.283836994.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.281810104.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.276068079.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.287218753.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.261275471.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.282519580.0000000003430000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 6.exe PID: 6288, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0000000F.00000003.506552159.00000000060E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.260831311.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.515536645.00000000007E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\feeed.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\8.exe, type: DROPPED
Source: Yara match	File source: 15.2.8.exe.7e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.8.exe.7e0000.0.unpack, type: UNPACKEDPE

Yara detected FormBook

Source: Yara match	File source: 00000012.00000001.319454595.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432975373.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319066279.00000000026D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432820441.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.318976470.00000000023F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.432760391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.2.exe.23f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.23f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.2.exe.26d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.1.2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.2.exe.400000.0.raw.unpack, type: UNPACKEDPE

ID:	321991
Product:	CloudBasic
Start time:	09:24:22
Start date:	24.11.2020
Sample:	31.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	af8e86c5d4198549f6375df9378f983c
SHA1:	7ab5ed449b891bd4899fba62d027a2cc26a05e6f
SHA256:	7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Analysis Report 31.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains