Loading ...

Play interactive tourEdit tour

Analysis Report Incaseformat

Overview

General Information

Sample Name:Incaseformat (renamed file extension from none to exe)
Analysis ID:339452
MD5:1ea8bea4055adc9edf91e03b0c80e68a
SHA1:300b32ae0a70e86eecbccc2b850d783ded5a0f69
SHA256:3c8c16428fe5b2d67ed59d543805e5ec63b3565f05305cbc193c961107e56f1d

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Incaseformat.exe (PID: 3504 cmdline: 'C:\Users\user\Desktop\Incaseformat.exe' MD5: 1EA8BEA4055ADC9EDF91E03B0C80E68A)
  • lvrslql.exe (PID: 5264 cmdline: C:\PROGRA~3\Mozilla\lvrslql.exe -ddeznal MD5: 0174F8B5E7DD2E44B57EBBE3742B216F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: Incaseformat.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\ProgramData\Mozilla\lvrslql.exeAvira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ProgramData\Mozilla\nnekebf.dllAvira: detection malicious, Label: TR/ATRAPS.Gen4
Multi AV Scanner detection for dropped fileShow sources
Source: C:\ProgramData\Mozilla\nnekebf.dllVirustotal: Detection: 76%Perma Link
Source: C:\ProgramData\Mozilla\nnekebf.dllMetadefender: Detection: 52%Perma Link
Source: C:\ProgramData\Mozilla\nnekebf.dllReversingLabs: Detection: 84%
Multi AV Scanner detection for submitted fileShow sources
Source: Incaseformat.exeVirustotal: Detection: 83%Perma Link
Source: Incaseformat.exeReversingLabs: Detection: 100%
Machine Learning detection for dropped fileShow sources
Source: C:\ProgramData\Mozilla\lvrslql.exeJoe Sandbox ML: detected
Source: C:\ProgramData\Mozilla\nnekebf.dllJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Incaseformat.exeJoe Sandbox ML: detected
Source: 0.0.Incaseformat.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 0.2.Incaseformat.exe.400000.0.unpackAvira: Label: TR/Gepys.aouma
Source: 1.2.lvrslql.exe.df0000.1.unpackAvira: Label: TR/Gepys.aouma
Source: 0.2.Incaseformat.exe.2150000.1.unpackAvira: Label: TR/Gepys.aouma
Source: 1.0.lvrslql.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 1.2.lvrslql.exe.400000.0.unpackAvira: Label: TR/Gepys.aouma

Compliance:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\Incaseformat.exeUnpacked PE file: 0.2.Incaseformat.exe.2150000.1.unpack
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\Incaseformat.exeUnpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack
Source: C:\ProgramData\Mozilla\lvrslql.exeUnpacked PE file: 1.2.lvrslql.exe.400000.0.unpack
Source: Incaseformat.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: Incaseformat.exe, 00000000.00000002.216899225.00000000007BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: Incaseformat.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: Incaseformat.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lvrslql.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nnekebf.dll.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.evad.winEXE@2/2@0/0
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_00401830 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,GetUserNameW,SysAllocString,CoUninitialize,CoUninitialize,
Source: Incaseformat.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Incaseformat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: Incaseformat.exeVirustotal: Detection: 83%
Source: Incaseformat.exeReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\Incaseformat.exeFile read: C:\Users\user\Desktop\Incaseformat.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Incaseformat.exe 'C:\Users\user\Desktop\Incaseformat.exe'
Source: unknownProcess created: C:\ProgramData\Mozilla\lvrslql.exe C:\PROGRA~3\Mozilla\lvrslql.exe -ddeznal
Source: C:\Users\user\Desktop\Incaseformat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\Incaseformat.exeUnpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\Mozilla\lvrslql.exeUnpacked PE file: 1.2.lvrslql.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Desktop\Incaseformat.exeUnpacked PE file: 0.2.Incaseformat.exe.2150000.1.unpack
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\Incaseformat.exeUnpacked PE file: 0.2.Incaseformat.exe.400000.0.unpack
Source: C:\ProgramData\Mozilla\lvrslql.exeUnpacked PE file: 1.2.lvrslql.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_0040488B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_00403CB5 push ecx; ret
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040E03D push edi; ret
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040F03F push ecx; iretd
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040D8DF pushad ; ret
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_00403CB5 push ecx; ret
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040EA1F push ebp; retf
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040DAC9 push ecx; iretd
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040D2F0 push ebp; iretd
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040BE88 push ecx; ret
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_00DB8720 push edx; ret
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_00D919CE push edx; iretd
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_00D932C2 push FFFFFFDFh; ret
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_00D93FE0 push ss; retn 0003h
Source: initial sampleStatic PE information: section name: .text entropy: 7.66572568976
Source: initial sampleStatic PE information: section name: .text entropy: 7.66572568976
Source: initial sampleStatic PE information: section name: .text entropy: 7.08580926417

Persistence and Installation Behavior:

barindex
Drops executable to a common third party application directoryShow sources
Source: C:\Users\user\Desktop\Incaseformat.exeFile written: C:\ProgramData\Mozilla\lvrslql.exeJump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exeFile written: C:\ProgramData\Mozilla\nnekebf.dllJump to behavior
Source: C:\ProgramData\Mozilla\lvrslql.exeFile created: C:\ProgramData\Mozilla\nnekebf.dllJump to dropped file
Source: C:\Users\user\Desktop\Incaseformat.exeFile created: C:\ProgramData\Mozilla\lvrslql.exeJump to dropped file
Source: C:\ProgramData\Mozilla\lvrslql.exeFile created: C:\ProgramData\Mozilla\nnekebf.dllJump to dropped file
Source: C:\Users\user\Desktop\Incaseformat.exeFile created: C:\ProgramData\Mozilla\lvrslql.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\ProgramData\Mozilla\lvrslql.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior
Source: C:\Users\user\Desktop\Incaseformat.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Mozilla\lvrslql.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Mozilla\lvrslql.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Mozilla\lvrslql.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Mozilla\lvrslql.exeDropped PE file which has not been started: C:\ProgramData\Mozilla\nnekebf.dllJump to dropped file
Source: C:\Users\user\Desktop\Incaseformat.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\ProgramData\Mozilla\lvrslql.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_0040488B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion,
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_0040432D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040281C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\ProgramData\Mozilla\lvrslql.exeCode function: 1_2_0040432D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_00402179 GetTickCount,CreateFileW,WriteFile,CloseHandle,HeapFree,_memset,ShellExecuteExW,Sleep,DeleteFileW,
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion,
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_00401830 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,GetUserNameW,SysAllocString,CoUninitialize,CoUninitialize,
Source: C:\Users\user\Desktop\Incaseformat.exeCode function: 0_2_004022D0 GetProcessHeap,GetTickCount,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,CreateDirectoryW,GetShortPathNameW,RegOpenKeyExW,_memset,RegQueryValueExW,RegCloseKey,GetCommandLineW,GetVersion,
Source: C:\Users\user\Desktop\Incaseformat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScheduled Task/Job1Scheduled Task/Job1Exploitation for Privilege Escalation1Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API2Registry Run Keys / Startup Folder1Process Injection1Process Injection1LSASS MemorySecurity Software Discovery12Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information2Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Software Packing33NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery4SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.