Analysis Report Sample_5fba9b06c7da400016eb6275.exe

Overview

General Information

Sample Name: Sample_5fba9b06c7da400016eb6275.exe
Analysis ID: 326335
MD5: 0e285f30f30dedd812295d2408f4b84c
SHA1: 24e8a7a0b9fdf929e6cc4b52b0470bf4f7b6f244
SHA256: d91f951bdcf35012ac6b47c28cf32ec143e4269243d8c229f6cb326fd343df95

Most interesting Screenshot:

Detection

Sodinokibi
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected Sodinokibi Ransomware
Contains functionality to detect sleep reduction / modifications
Found Tor onion address
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to delete services
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Sample_5fba9b06c7da400016eb6275.exe Avira: detected
Found malware configuration
Source: Sample_5fba9b06c7da400016eb6275.exe.7020.0.memstr Malware Configuration Extractor: Sodinokibi {"prc": ["firefox", "oracle", "visio", "xfssvccon", "steam", "winword", "mspub", "isqlplussvc", "ocssd", "ocautoupds", "mydesktopqos", "outlook", "dbeng50", "sql", "agntsvc", "tbirdconfig", "encsvc", "thebat", "synctime", "onenote", "mydesktopservice", "thunderbird", "excel", "powerpnt", "dbsnmp", "sqbcoreservice", "ocomm", "infopath", "wordpad", "msaccess"], "sub": "5891", "svc": ["veeam", "vss", "backup", "sophos", "svc$", "mepocs", "memtas", "sql"], "wht": {"ext": ["msc", "mpa", "hta", "ani", "themepack", "com", "ps1", "icl", "dll", "ldf", "ocx", "lnk", "theme", "nls", "386", "cmd", "wpx", "diagcfg", "cur", "prf", "ico", "nomedia", "sys", "bat", "exe", "deskthemepack", "spl", "shs", "hlp", "rtp", "msp", "scr", "ics", "key", "msstyles", "mod", "cab", "diagcab", "adv", "rom", "drv", "bin", "msi", "idx", "cpl", "diagpkg", "msu", "icns", "lock"], "fls": ["boot.ini", "bootsect.bak", "bootfont.bin", "ntuser.ini", "iconcache.db", "ntuser.dat.log", "desktop.ini", "autorun.inf", "thumbs.db", "ntuser.dat", "ntldr"], "fld": ["system volume information", "program files (x86)", "mozilla", "application data", "windows.old", "msocache", "appdata", "$recycle.bin", "$windows.~ws", "program files", "windows", "programdata", "google", "tor browser", "perflogs", "boot", "intel", "$windows.~bt"]}, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA", "dmn": "notmissingout.com;employeesurveys.com;delchacay.com.ar;sw1m.ru;sofavietxinh.com;samnewbyjax.com;pawsuppetlovers.com;panelsandwichmadrid.es;frontierweldingllc.com;antenanavi.com;nokesvilledentistry.com;partnertaxi.sk;tomaso.gr;levihotelspa.fi;myhealth.net.au;midmohandyman.com;kirkepartner.dk;zewatchers.com;lapmangfpt.info.vn;purposeadvisorsolutions.com;fitnessbazaar.com;brigitte-erler.com;lescomtesdemean.be;supportsumba.nl;deltacleta.cat;mastertechusering.com;dontpassthepepper.com;apprendrelaudit.com;whittier5k.com;ladelirante.fr;mariposapropaneaz.com;nsec.se;shsthepapercut.com;adoptioperheet.fi;labobit.it;retroearthstudio.com;ahouseforlease.com;greenfieldoptimaldentalcare.com;renergysolution.com;xtptrack.com;sandd.nl;euro-trend.pl;christ-michael.net;bigasgrup.com;plv.media;wacochamber.com;jyzdesign.com;facettenreich27.de;echtveilig.nl;mbxvii.com;igfap.com;noskierrenteria.com;strategicstatements.com;itelagen.com;burkert-ideenreich.de;cleliaekiko.online;baronloan.org;slwgs.org;wolf-glas-und-kunst.de;hardinggroup.com;mousepad-direkt.de;4youbeautysalon.com;suncrestcabinets.ca;zzyjtsgls.com;commercialboatbuilding.com;stemenstilte.nl;maasreusel.nl;bloggyboulga.net;vitavia.lt;skanah.com;autodujos.lt;leoben.at;filmstreamingvfcomplet.be;mediaplayertest.net;travelffeine.com;ungsvenskarna.se;securityfmm.com;rushhourappliances.com;ziegler-praezisionsteile.de;drinkseed.com;live-your-life.jp;deko4you.at;comarenterprises.com;despedidascosta
Multi AV Scanner detection for submitted file
Source: Sample_5fba9b06c7da400016eb6275.exe Virustotal: Detection: 89% Perma Link
Source: Sample_5fba9b06c7da400016eb6275.exe Metadefender: Detection: 48% Perma Link
Source: Sample_5fba9b06c7da400016eb6275.exe ReversingLabs: Detection: 86%
Machine Learning detection for sample
Source: Sample_5fba9b06c7da400016eb6275.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B549C CryptAcquireContextW,CryptGenRandom, 0_2_009B549C
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B5D90 CryptBinaryToStringW,CryptBinaryToStringW, 0_2_009B5D90
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B5D2F CryptStringToBinaryW,CryptStringToBinaryW, 0_2_009B5D2F

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: d: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: c: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B766A FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose, 0_2_009B766A

Networking:

barindex
Found Tor onion address
Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.577730714.0000000002B58000.00000004.00000040.sdmp String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7014F8C2779026F
Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000003.524083890.0000000002B6F000.00000004.00000040.sdmp String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
Source: su84mu33c1-readme.txt19.0.dr String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7014F8C2779026F
Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000003.524083890.0000000002B6F000.00000004.00000040.sdmp String found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.577730714.0000000002B58000.00000004.00000040.sdmp, su84mu33c1-readme.txt19.0.dr String found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7014F8C2779026F
Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000003.524083890.0000000002B6F000.00000004.00000040.sdmp String found in binary or memory: http://decryptor.cc/
Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.577730714.0000000002B58000.00000004.00000040.sdmp, su84mu33c1-readme.txt19.0.dr String found in binary or memory: http://decryptor.cc/A7014F8C2779026F
Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.577730714.0000000002B58000.00000004.00000040.sdmp, Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000003.524083890.0000000002B6F000.00000004.00000040.sdmp, su84mu33c1-readme.txt19.0.dr String found in binary or memory: https://torproject.org/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Sample_5fba9b06c7da400016eb6275.exe, 00000000.00000002.573901385.0000000000BBA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Found ransom note / readme
Source: C:\su84mu33c1-readme.txt Dropped file: ---=== Welcome. Again. ===---[+] Whats Happen? [+]Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension su84mu33c1.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.[+] How to get access on website? [+]You have two ways:1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/A7014F8C2779026F2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/A7014F8C2779026FWarning: secondary website can be blocked, thats why first variant muc Jump to dropped file
Yara detected Sodinokibi Ransomware
Source: Yara match File source: 00000000.00000003.348277768.0000000002B4F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.348165108.0000000002B4F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample_5fba9b06c7da400016eb6275.exe PID: 7020, type: MEMORY
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File moved: C:\Users\user\Desktop\ZTGJILHXQB\QCFWYSKMHA.png Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File deleted: C:\Users\user\Desktop\ZTGJILHXQB\QCFWYSKMHA.png Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File moved: C:\Users\user\Desktop\UOOJJOZIRH.xlsx Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File deleted: C:\Users\user\Desktop\UOOJJOZIRH.xlsx Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File moved: C:\Users\user\Desktop\PWCCAWLGRE.jpg Jump to behavior

System Summary:

barindex
Contains functionality to delete services
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B3B6E OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle, 0_2_009B3B6E
Detected potential crypto function
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009BB7A2 0_2_009BB7A2
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B8AF8 0_2_009B8AF8
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B85D5 0_2_009B85D5
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009BAB0D 0_2_009BAB0D
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B8377 0_2_009B8377
Yara signature match
Source: Sample_5fba9b06c7da400016eb6275.exe, type: SAMPLE Matched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
Source: 00000000.00000002.573809240.00000000009B1000.00000020.00020000.sdmp, type: MEMORY Matched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
Source: 00000000.00000000.347800253.00000000009B1000.00000020.00020000.sdmp, type: MEMORY Matched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
Source: 0.0.Sample_5fba9b06c7da400016eb6275.exe.9b0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
Source: 0.2.Sample_5fba9b06c7da400016eb6275.exe.9b0000.1.unpack, type: UNPACKEDPE Matched rule: MAL_RANSOM_REvil_Oct20_1 date = 2020-10-13, hash4 = fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501, hash3 = f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d, hash2 = f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5, hash1 = 5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4, author = Florian Roth, description = Detects REvil ransomware, reference = Internal Research
Source: classification engine Classification label: mal100.rans.evad.winEXE@2/207@0/0
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B4CD4 GetDriveTypeW,GetDiskFreeSpaceExW, 0_2_009B4CD4
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B5425 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW, 0_2_009B5425
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\program files\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\C67C4A76-40FA-FD1C-B814-F8203DB0F283
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: C:\Users\user\AppData\Local\Temp\xa288w44oi.bmp Jump to behavior
Source: Sample_5fba9b06c7da400016eb6275.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA &apos;Win32_Process&apos;
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA &apos;Win32_Process&apos;
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\CIMV2 : SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA &apos;Win32_Process&apos;
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Sample_5fba9b06c7da400016eb6275.exe Virustotal: Detection: 89%
Source: Sample_5fba9b06c7da400016eb6275.exe Metadefender: Detection: 48%
Source: Sample_5fba9b06c7da400016eb6275.exe ReversingLabs: Detection: 86%
Source: unknown Process created: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe 'C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe'
Source: unknown Process created: C:\Windows\System32\wbem\unsecapp.exe C:\Windows\system32\wbem\unsecapp.exe -Embedding
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Directory created: c:\program files\su84mu33c1-readme.txt Jump to behavior

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: Sample_5fba9b06c7da400016eb6275.exe Static PE information: section name: .axh
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009C30F8 pushfd ; ret 0_2_009C30FE
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: C:\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\program files\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\program files (x86)\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\recovery\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\program files (x86)\microsoft sql server\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\default\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\public\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\program files (x86)\microsoft sql server\110\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\default\desktop\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\default\documents\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\default\downloads\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\default\favorites\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\default\links\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\default\music\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\default\pictures\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\default\saved games\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\default\videos\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\3d objects\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\contacts\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\downloads\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\favorites\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\links\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\music\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\onedrive\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\pictures\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\recent\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\saved games\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\searches\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\videos\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\public\accountpictures\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\public\desktop\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\public\documents\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\public\downloads\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\public\libraries\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\public\music\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\public\pictures\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\public\videos\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\program files (x86)\microsoft sql server\110\shared\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\eegwxuhvug\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\eowrvpqccs\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\fenivhoikn\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\gigiytffyt\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\grxzdkkvdb\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\mxpxcvpdvn\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\pwccawlgre\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\qncycdfijj\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\uoojjozirh\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\vamydfpund\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\wkxewiotxi\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\desktop\ztgjilhxqb\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\eegwxuhvug\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\eowrvpqccs\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\fenivhoikn\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\gigiytffyt\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\grxzdkkvdb\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\mxpxcvpdvn\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\pwccawlgre\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\qncycdfijj\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\uoojjozirh\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\vamydfpund\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\wkxewiotxi\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\documents\ztgjilhxqb\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\favorites\links\su84mu33c1-readme.txt Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File created: c:\users\user\pictures\camera roll\su84mu33c1-readme.txt Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B595D 0_2_009B595D
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B58B3 rdtsc 0_2_009B58B3
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: OpenSCManagerW,EnumServicesStatusExW,RtlGetLastWin32Error,CloseServiceHandle,CloseServiceHandle,EnumServicesStatusExW,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle, 0_2_009B3B6E
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Window / User API: threadDelayed 10000 Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe TID: 7024 Thread sleep count: 10000 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B766A FindFirstFileExW,FindFirstFileW,FindNextFileW,FindClose, 0_2_009B766A
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B53F1 GetSystemInfo, 0_2_009B53F1
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B58B3 rdtsc 0_2_009B58B3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B5083 mov eax, dword ptr fs:[00000030h] 0_2_009B5083
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B5408 mov ecx, dword ptr fs:[00000030h] 0_2_009B5408
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B494C HeapCreate,GetProcessHeap, 0_2_009B494C
Enables debug privileges
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: OpenProcess,QueryFullProcessImageNameW,PathFindFileNameW, svchost.exe 0_2_009B4B05
Source: unsecapp.exe, 0000000E.00000002.616569697.00000176D6E90000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: unsecapp.exe, 0000000E.00000002.616569697.00000176D6E90000.00000002.00000001.sdmp Binary or memory string: Progman
Source: unsecapp.exe, 0000000E.00000002.616569697.00000176D6E90000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: unsecapp.exe, 0000000E.00000002.616569697.00000176D6E90000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B4C25 cpuid 0_2_009B4C25
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Sample_5fba9b06c7da400016eb6275.exe Code function: 0_2_009B5126 GetUserNameW, 0_2_009B5126
windows-stand
No contacted IP infos