Analysis Report Incaseformat

Overview

General Information

Sample Name: Incaseformat (renamed file extension from none to exe)
Analysis ID: 339452
MD5: 1ea8bea4055adc9edf91e03b0c80e68a
SHA1: 300b32ae0a70e86eecbccc2b850d783ded5a0f69
SHA256: 3c8c16428fe5b2d67ed59d543805e5ec63b3565f05305cbc193c961107e56f1d

Most interesting Screenshot:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Incaseformat.exe Avira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\Mozilla\lvrslql.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ProgramData\Mozilla\nnekebf.dll Avira: detection malicious, Label: TR/ATRAPS.Gen4
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Mozilla\nnekebf.dll Virustotal: Detection: 76% Perma Link
Source: C:\ProgramData\Mozilla\nnekebf.dll Metadefender: Detection: 52% Perma Link
Source: C:\ProgramData\Mozilla\nnekebf.dll ReversingLabs: Detection: 84%
Multi AV Scanner detection for submitted file
Source: Incaseformat.exe Virustotal: Detection: 83% Perma Link
Source: Incaseformat.exe ReversingLabs: Detection: 100%
Machine Learning detection for dropped file
Source: C:\ProgramData\Mozilla\lvrslql.exe Joe Sandbox ML: detected
Source: C:\ProgramData\Mozilla\nnekebf.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Incaseformat.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.Incaseformat.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.Incaseformat.exe.400000.0.unpack Avira: Label: TR/Gepys.aouma
Source: 1.2.lvrslql.exe.df0000.1.unpack Avira: Label: TR/Gepys.aouma
Source: 0.2.Incaseformat.exe.2150000.1.unpack Avira: Label: TR/Gepys.aouma
Source: 1.0.lvrslql.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.2.lvrslql.exe.400000.0.unpack Avira: Label: TR/Gepys.aouma

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Incaseformat.exe Unpacked PE file: 0.2.Incaseformat.exe.2150000.1.unpack
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Incaseformat.exe Unpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack
Source: C:\ProgramData\Mozilla\lvrslql.exe Unpacked PE file: 1.2.lvrslql.exe.400000.0.unpack
Uses 32bit PE files
Source: Incaseformat.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Incaseformat.exe, 00000000.00000002.216899225.00000000007BA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: Incaseformat.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: Incaseformat.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lvrslql.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nnekebf.dll.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.evad.winEXE@2/2@0/0
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_00401830 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,GetUserNameW,SysAllocString,CoUninitialize,CoUninitialize, 0_2_00401830
Source: Incaseformat.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Incaseformat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Incaseformat.exe Virustotal: Detection: 83%
Source: Incaseformat.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\Incaseformat.exe File read: C:\Users\user\Desktop\Incaseformat.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Incaseformat.exe 'C:\Users\user\Desktop\Incaseformat.exe'
Source: unknown Process created: C:\ProgramData\Mozilla\lvrslql.exe C:\PROGRA~3\Mozilla\lvrslql.exe -ddeznal
Source: C:\Users\user\Desktop\Incaseformat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Incaseformat.exe Unpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\Mozilla\lvrslql.exe Unpacked PE file: 1.2.lvrslql.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Incaseformat.exe Unpacked PE file: 0.2.Incaseformat.exe.2150000.1.unpack
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Incaseformat.exe Unpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack
Source: C:\ProgramData\Mozilla\lvrslql.exe Unpacked PE file: 1.2.lvrslql.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_0040488B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0040488B
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_00403CB5 push ecx; ret 0_2_00403CC8
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_0040E03D push edi; ret 1_2_0040E048
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_0040F03F push ecx; iretd 1_2_0040F04C
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_0040D8DF pushad ; ret 1_2_0040D8E0
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_00403CB5 push ecx; ret 1_2_00403CC8
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_0040EA1F push ebp; retf 1_2_0040EA20
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_0040DAC9 push ecx; iretd 1_2_0040DACA
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_0040D2F0 push ebp; iretd 1_2_0040D2F2
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_0040BE88 push ecx; ret 1_2_0040BEE7
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_00DB8720 push edx; ret 1_2_00DB894D
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_00D919CE push edx; iretd 1_2_00D919F5
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_00D932C2 push FFFFFFDFh; ret 1_2_00D93307
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_00D93FE0 push ss; retn 0003h 1_2_00D93FEA
Source: initial sample Static PE information: section name: .text entropy: 7.66572568976
Source: initial sample Static PE information: section name: .text entropy: 7.66572568976
Source: initial sample Static PE information: section name: .text entropy: 7.08580926417

Persistence and Installation Behavior:

barindex
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\Incaseformat.exe File written: C:\ProgramData\Mozilla\lvrslql.exe Jump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exe File written: C:\ProgramData\Mozilla\nnekebf.dll Jump to behavior
Drops PE files
Source: C:\ProgramData\Mozilla\lvrslql.exe File created: C:\ProgramData\Mozilla\nnekebf.dll Jump to dropped file
Source: C:\Users\user\Desktop\Incaseformat.exe File created: C:\ProgramData\Mozilla\lvrslql.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\ProgramData\Mozilla\lvrslql.exe File created: C:\ProgramData\Mozilla\nnekebf.dll Jump to dropped file
Source: C:\Users\user\Desktop\Incaseformat.exe File created: C:\ProgramData\Mozilla\lvrslql.exe Jump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\ProgramData\Mozilla\lvrslql.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\ProgramData\Mozilla\lvrslql.exe Dropped PE file which has not been started: C:\ProgramData\Mozilla\nnekebf.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\Incaseformat.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\ProgramData\Mozilla\lvrslql.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040281C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_0040488B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0040488B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion, 0_2_004022D0
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040281C
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_0040432D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040432D
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0040281C
Source: C:\ProgramData\Mozilla\lvrslql.exe Code function: 1_2_0040432D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040432D

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_00402179 GetTickCount,CreateFileW,WriteFile,CloseHandle,HeapFree,_memset,ShellExecuteExW,Sleep,DeleteFileW, 0_2_00402179
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion, 0_2_004022D0
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_00401830 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,GetUserNameW,SysAllocString,CoUninitialize,CoUninitialize, 0_2_00401830
Source: C:\Users\user\Desktop\Incaseformat.exe Code function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion, 0_2_004022D0
Source: C:\Users\user\Desktop\Incaseformat.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339452 Sample: Incaseformat Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 15 Antivirus detection for dropped file 2->15 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for dropped file 2->19 21 3 other signatures 2->21 5 lvrslql.exe 2 2->5         started        9 Incaseformat.exe 2 2->9         started        process3 file4 11 C:\ProgramData\Mozilla\nnekebf.dll, PE32 5->11 dropped 23 Antivirus detection for dropped file 5->23 25 Detected unpacking (changes PE section rights) 5->25 27 Detected unpacking (overwrites its own PE header) 5->27 33 2 other signatures 5->33 13 C:\ProgramData\Mozilla\lvrslql.exe, PE32 9->13 dropped 29 Detected unpacking (creates a PE file in dynamic memory) 9->29 31 Drops executable to a common third party application directory 9->31 signatures5
No contacted IP infos