Loading ...

Play interactive tourEdit tour

Analysis Report 4AtUJN8Hdu.exe

Overview

General Information

Sample Name:4AtUJN8Hdu.exe
Analysis ID:356514
MD5:d7e81abce9332847471b89e50b241172
SHA1:a6455d3a4fb9c2e5627dcbf46702a4e16c2492da
SHA256:6141efb6f1598e2205806c5a788e61c489440dfc942984ee1688bb68ad0f18df
Tags:exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 4AtUJN8Hdu.exe (PID: 6356 cmdline: 'C:\Users\user\Desktop\4AtUJN8Hdu.exe' MD5: D7E81ABCE9332847471B89E50B241172)
    • 4AtUJN8Hdu.exe (PID: 6564 cmdline: 'C:\Users\user\Desktop\4AtUJN8Hdu.exe' MD5: D7E81ABCE9332847471B89E50B241172)
      • wscript.exe (PID: 984 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • cmd.exe (PID: 5476 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • win.exe (PID: 6748 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: D7E81ABCE9332847471B89E50B241172)
  • win.exe (PID: 6904 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: D7E81ABCE9332847471B89E50B241172)
  • win.exe (PID: 7148 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: D7E81ABCE9332847471B89E50B241172)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: 4AtUJN8Hdu.exe PID: 6564JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: 4AtUJN8Hdu.exe PID: 6564JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: mtspsmjeli.sch.idVirustotal: Detection: 12%Perma Link
      Source: http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.binVirustotal: Detection: 15%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\win.exeVirustotal: Detection: 35%Perma Link
      Source: C:\Users\user\AppData\Roaming\win.exeReversingLabs: Detection: 42%
      Multi AV Scanner detection for submitted fileShow sources
      Source: 4AtUJN8Hdu.exeVirustotal: Detection: 35%Perma Link
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\win.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: 4AtUJN8Hdu.exeJoe Sandbox ML: detected

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: 4AtUJN8Hdu.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: Joe Sandbox ViewIP Address: 103.150.60.242 103.150.60.242
      Source: Joe Sandbox ViewASN Name: PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID
      Source: global trafficHTTP traffic detected: GET /cl/VK_Remcos%20v2_AxaGIU151.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /cl/VK_Remcos%20v2_AxaGIU151.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache
      Source: unknownDNS traffic detected: queries for: mtspsmjeli.sch.id
      Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
      Source: win.exe, 0000001E.00000002.753745838.000000000067A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00566C80 NtSetInformationThread,26_2_00566C80
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00566766 NtProtectVirtualMemory,26_2_00566766
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_0056631A NtSetInformationThread,26_2_0056631A
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00560534 EnumWindows,NtSetInformationThread,26_2_00560534
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00566E75 NtSetInformationThread,26_2_00566E75
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_0056061B NtSetInformationThread,26_2_0056061B
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_005606D3 NtSetInformationThread,26_2_005606D3
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00560EDD NtProtectVirtualMemory,26_2_00560EDD
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00566EDB NtSetInformationThread,26_2_00566EDB
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_005668F5 NtProtectVirtualMemory,26_2_005668F5
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00566CE5 NtSetInformationThread,26_2_00566CE5
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_0056069F NtSetInformationThread,26_2_0056069F
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00566C99 NtSetInformationThread,26_2_00566C99
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00566EA3 NtSetInformationThread,26_2_00566EA3
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00560743 NtSetInformationThread,26_2_00560743
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00566D6A NtSetInformationThread,26_2_00566D6A
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00560F68 NtProtectVirtualMemory,26_2_00560F68
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_005605DE NtSetInformationThread,26_2_005605DE
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00566DD9 NtSetInformationThread,26_2_00566DD9
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_005659CD NtSetInformationThread,26_2_005659CD
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00560DBD NtProtectVirtualMemory,26_2_00560DBD
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00560FA1 NtProtectVirtualMemory,26_2_00560FA1
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00566DAB NtSetInformationThread,26_2_00566DAB
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 0_2_00402BF90_2_00402BF9
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00564B2926_2_00564B29
      Source: 4AtUJN8Hdu.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: win.exe.26.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 4AtUJN8Hdu.exe, 00000000.00000000.227272150.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe
      Source: 4AtUJN8Hdu.exe, 00000000.00000002.686046598.00000000021F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 4AtUJN8Hdu.exe
      Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712764051.000000001E020000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 4AtUJN8Hdu.exe
      Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712764051.000000001E020000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 4AtUJN8Hdu.exe
      Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712402397.000000001DC50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 4AtUJN8Hdu.exe
      Source: 4AtUJN8Hdu.exe, 0000001A.00000002.712447968.000000001DF20000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 4AtUJN8Hdu.exe
      Source: 4AtUJN8Hdu.exe, 0000001A.00000000.684091283.0000000000418000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe
      Source: 4AtUJN8Hdu.exeBinary or memory string: OriginalFilenameRidgepieceudtrreu.exe vs 4AtUJN8Hdu.exe
      Source: 4AtUJN8Hdu.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal100.troj.evad.winEXE@11/3@1/1
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeFile created: C:\Users\user\AppData\Roaming\win.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_01
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-K77NUC
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCACFC5B555D77E93.TMPJump to behavior
      Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
      Source: 4AtUJN8Hdu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: 4AtUJN8Hdu.exeVirustotal: Detection: 35%
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeFile read: C:\Users\user\Desktop\4AtUJN8Hdu.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\4AtUJN8Hdu.exe 'C:\Users\user\Desktop\4AtUJN8Hdu.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\4AtUJN8Hdu.exe 'C:\Users\user\Desktop\4AtUJN8Hdu.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exeJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: 4AtUJN8Hdu.exe PID: 6564, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: 4AtUJN8Hdu.exe PID: 6564, type: MEMORY
      Source: 4AtUJN8Hdu.exeStatic PE information: real checksum: 0x27364 should be: 0x25d86
      Source: win.exe.26.drStatic PE information: real checksum: 0x27364 should be: 0x25d86
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 0_2_0040546F push edx; iretd 0_2_00405471
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 0_2_00404889 push ds; retf 0_2_0040488A
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 0_2_0040769A push esp; iretd 0_2_0040769B
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeFile created: C:\Users\user\AppData\Roaming\win.exeJump to dropped file
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run winJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\win.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE`
      Source: 4AtUJN8Hdu.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: C:\Windows\SysWOW64\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00560A8C rdtsc 26_2_00560A8C
      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: 4AtUJN8Hdu.exe, 0000001A.00000002.708760652.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe`
      Source: 4AtUJN8Hdu.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_0056631A NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00400000,?,0000000026_2_0056631A
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00560A8C rdtsc 26_2_00560A8C
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00563623 LdrInitializeThunk,26_2_00563623
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_0056229F mov eax, dword ptr fs:[00000030h]26_2_0056229F
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_0056631A mov eax, dword ptr fs:[00000030h]26_2_0056631A
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00561AD5 mov eax, dword ptr fs:[00000030h]26_2_00561AD5
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_005662DB mov eax, dword ptr fs:[00000030h]26_2_005662DB
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_005654F7 mov eax, dword ptr fs:[00000030h]26_2_005654F7
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_005622AB mov eax, dword ptr fs:[00000030h]26_2_005622AB
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00564D4A mov eax, dword ptr fs:[00000030h]26_2_00564D4A
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_0056632D mov eax, dword ptr fs:[00000030h]26_2_0056632D
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00562FEA mov eax, dword ptr fs:[00000030h]26_2_00562FEA
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00565582 mov eax, dword ptr fs:[00000030h]26_2_00565582
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' Jump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exeJump to behavior
      Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: win.exe, 0000001E.00000002.754244336.0000000000C40000.00000002.00000001.sdmp, win.exe, 0000001F.00000002.754158603.0000000000C30000.00000002.00000001.sdmp, win.exe, 00000020.00000002.753790785.0000000000C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\4AtUJN8Hdu.exeCode function: 26_2_00560ABC cpuid 26_2_00560ABC
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting11Registry Run Keys / Startup Folder1Process Injection12Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Virtualization/Sandbox Evasion22LSASS MemorySecurity Software Discovery531Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion22SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery22Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet