Loading ...

Play interactive tourEdit tour

Analysis Report Incaseformat

Overview

General Information

Sample Name:Incaseformat (renamed file extension from none to exe)
Analysis ID:339452
MD5:1ea8bea4055adc9edf91e03b0c80e68a
SHA1:300b32ae0a70e86eecbccc2b850d783ded5a0f69
SHA256:3c8c16428fe5b2d67ed59d543805e5ec63b3565f05305cbc193c961107e56f1d

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Incaseformat.exe (PID: 3504 cmdline: 'C:\Users\user\Desktop\Incaseformat.exe' MD5: 1EA8BEA4055ADC9EDF91E03B0C80E68A)
  • lvrslql.exe (PID: 5264 cmdline: C:\PROGRA~3\Mozilla\lvrslql.exe -ddeznal MD5: 0174F8B5E7DD2E44B57EBBE3742B216F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: Incaseformat.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\ProgramData\Mozilla\lvrslql.exeAvira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ProgramData\Mozilla\nnekebf.dllAvira: detection malicious, Label: TR/ATRAPS.Gen4
Multi AV Scanner detection for dropped fileShow sources
Source: C:\ProgramData\Mozilla\nnekebf.dllVirustotal: Detection: 76%Perma Link
Source: C:\ProgramData\Mozilla\nnekebf.dllMetadefender: Detection: 52%Perma Link
Source: C:\ProgramData\Mozilla\nnekebf.dllReversingLabs: Detection: 84%
Multi AV Scanner detection for submitted fileShow sources
Source: Incaseformat.exeVirustotal: Detection: 83%Perma Link
Source: Incaseformat.exeReversingLabs: Detection: 100%
Machine Learning detection for dropped fileShow sources
Source: C:\ProgramData\Mozilla\lvrslql.exeJoe Sandbox ML: detected
Source: C:\ProgramData\Mozilla\nnekebf.dllJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Incaseformat.exeJoe Sandbox ML: detected
Source: 0.0.Incaseformat.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.2.Incaseformat.exe.400000.0.unpackAvira: Label: TR/Gepys.aouma
Source: 1.2.lvrslql.exe.df0000.1.unpackAvira: Label: TR/Gepys.aouma
Source: 0.2.Incaseformat.exe.2150000.1.unpackAvira: Label: TR/Gepys.aouma
Source: 1.0.lvrslql.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 1.2.lvrslql.exe.400000.0.unpackAvira: Label: TR/Gepys.aouma

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\Incaseformat.exeUnpacked PE file: 0.2.Incaseformat.exe.2150000.1.unpack
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\Incaseformat.exeUnpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack
Source: C:\ProgramData\Mozilla\lvrslql.exeUnpacked PE file: 1.2.lvrslql.exe.400000.0.unpack
Source: Incaseformat.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: Incaseformat.exe, 00000000.00000002.216899225.00000000007BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: Incaseformat.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: Incaseformat.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lvrslql.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nnekebf.dll.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.evad.winEXE@2/2@0/0
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_00401830 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,GetUserNameW,SysAllocString,CoUninitialize,CoUninitialize,0_2_00401830
Source: Incaseformat.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Incaseformat.exeVirustotal: Detection: 83%
Source: Incaseformat.exeReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\Incaseformat.exeFile read: C:\Users\user\Desktop\Incaseformat.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Incaseformat.exe 'C:\Users\user\Desktop\Incaseformat.exe'
Source: unknownProcess created: C:\ProgramData\Mozilla\lvrslql.exe C:\PROGRA~3\Mozilla\lvrslql.exe -ddeznal
Source: C:\Users\user\Desktop\Incaseformat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\Incaseformat.exeUnpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\Mozilla\lvrslql.exeUnpacked PE file: 1.2.lvrslql.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\Incaseformat.exeUnpacked PE file: 0.2.Incaseformat.exe.2150000.1.unpack
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\Incaseformat.exeUnpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack
Source: C:\ProgramData\Mozilla\lvrslql.exeUnpacked PE file: 1.2.lvrslql.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_0040488B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0040488B
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_00403CB5 push ecx; ret 0_2_00403CC8
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040E03D push edi; ret 1_2_0040E048
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040F03F push ecx; iretd 1_2_0040F04C
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040D8DF pushad ; ret 1_2_0040D8E0
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_00403CB5 push ecx; ret 1_2_00403CC8
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040EA1F push ebp; retf 1_2_0040EA20
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040DAC9 push ecx; iretd 1_2_0040DACA
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040D2F0 push ebp; iretd 1_2_0040D2F2
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040BE88 push ecx; ret 1_2_0040BEE7
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_00DB8720 push edx; ret 1_2_00DB894D
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_00D919CE push edx; iretd 1_2_00D919F5
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_00D932C2 push FFFFFFDFh; ret 1_2_00D93307
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_00D93FE0 push ss; retn 0003h1_2_00D93FEA
Source: initial sampleStatic PE information: section name: .text entropy: 7.66572568976
Source: initial sampleStatic PE information: section name: .text entropy: 7.66572568976
Source: initial sampleStatic PE information: section name: .text entropy: 7.08580926417

Persistence and Installation Behavior:

barindex
Drops executable to a common third party application directoryShow sources
Source: C:\Users\user\Desktop\Incaseformat.exeFile written: C:\ProgramData\Mozilla\lvrslql.exeJump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exeFile written: C:\ProgramData\Mozilla\nnekebf.dllJump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exeFile created: C:\ProgramData\Mozilla\nnekebf.dllJump to dropped file
Source: C:\Users\user\Desktop\Incaseformat.exeFile created: C:\ProgramData\Mozilla\lvrslql.exeJump to dropped file
Source: C:\ProgramData\Mozilla\lvrslql.exeFile created: C:\ProgramData\Mozilla\nnekebf.dllJump to dropped file
Source: C:\Users\user\Desktop\Incaseformat.exeFile created: C:\ProgramData\Mozilla\lvrslql.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\ProgramData\Mozilla\lvrslql.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exeDropped PE file which has not been started: C:\ProgramData\Mozilla\nnekebf.dllJump to dropped file
Source: C:\Users\user\Desktop\Incaseformat.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-3015
Source: C:\ProgramData\Mozilla\lvrslql.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-5085
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040281C
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_0040488B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0040488B
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion,0_2_004022D0
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040281C
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_0040432D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040432D
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0040281C
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040432D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0040432D
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_00402179 GetTickCount,CreateFileW,WriteFile,CloseHandle,HeapFree,_memset,ShellExecuteExW,Sleep,DeleteFileW,0_2_00402179
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion,0_2_004022D0
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_00401830 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,GetUserNameW,SysAllocString,CoUninitialize,CoUninitialize,0_2_00401830
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion,0_2_004022D0
Source: C:\Users\user\Desktop\Incaseformat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScheduled Task/Job1Scheduled Task/Job1Exploitation for Privilege Escalation1Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API2Registry Run Keys / Startup Folder1Process Injection1Process Injection1LSASS MemorySecurity Software Discovery12Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information2Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing33NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery4SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.