Analysis Report MPO-003234.exe

Overview

General Information

Sample Name: MPO-003234.exe
Analysis ID: 356523
MD5: 8bc8526fbaafbac33118ee652ac97da6
SHA1: 7b23c7209b8f37bb32803971c36ab706b4a8e34d
SHA256: cfe1f69c2984de3f5d476db3ce45aa4d95a8137f0ff1ba07c1b0cecf15075c93
Tags: exe

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\badman.exe ReversingLabs: Detection: 19%
Multi AV Scanner detection for submitted file
Source: MPO-003234.exe Virustotal: Detection: 24% Perma Link
Source: MPO-003234.exe ReversingLabs: Detection: 19%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\badman.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: MPO-003234.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 25.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: MPO-003234.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: MPO-003234.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000002.493071070.00000000006E2000.00000002.00020000.sdmp, zUbDt.exe.25.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, zUbDt.exe.25.dr
Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426779004.00000000009D7000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: MPO-003234.exe, 00000000.00000003.238538980.0000000009BE4000.00000004.00000001.sdmp String found in binary or memory: http://ns.adb
Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1p
Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmp, badman.exe, 00000010.00000003.347728528.0000000009035000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: badman.exe, 00000010.00000003.422941176.000000000903D000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g%%
Source: badman.exe, 00000010.00000003.347207533.0000000009035000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g5~
Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/gp
Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobjp
Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426779004.00000000009D7000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: MPO-003234.exe, 00000000.00000002.331426011.0000000003102000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427101971.00000000024E2000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp String found in binary or memory: http://wqDPxI.com
Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: MPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, InstallUtil.exe, 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: badman.exe, 00000010.00000002.426259290.00000000008F8000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
.NET source code contains very large array initializations
Source: MPO-003234.exe, c3R/Xn4.cs Large array initialization: .cctor: array initializer size 10710
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C2E0C CreateProcessAsUserW, 16_2_062C2E0C
Detected potential crypto function
Source: C:\Users\user\Desktop\MPO-003234.exe Code function: 0_2_00CA366F 0_2_00CA366F
Source: C:\Users\user\Desktop\MPO-003234.exe Code function: 0_2_014ACD20 0_2_014ACD20
Source: C:\Users\user\Desktop\MPO-003234.exe Code function: 0_2_014AFCE0 0_2_014AFCE0
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_000C366F 16_2_000C366F
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_0088FCE0 16_2_0088FCE0
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD75B0 16_2_05FD75B0
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD34F8 16_2_05FD34F8
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD5470 16_2_05FD5470
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FDF748 16_2_05FDF748
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD6730 16_2_05FD6730
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FDE648 16_2_05FDE648
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FDC610 16_2_05FDC610
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD5CE0 16_2_05FD5CE0
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FDDE60 16_2_05FDDE60
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD7566 16_2_05FD7566
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD44F0 16_2_05FD44F0
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD34E8 16_2_05FD34E8
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD44E0 16_2_05FD44E0
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD84D8 16_2_05FD84D8
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD74DB 16_2_05FD74DB
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD84CA 16_2_05FD84CA
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD5461 16_2_05FD5461
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD9730 16_2_05FD9730
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD6720 16_2_05FD6720
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD9720 16_2_05FD9720
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FDD658 16_2_05FDD658
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD61E0 16_2_05FD61E0
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD61D2 16_2_05FD61D2
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD9090 16_2_05FD9090
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD9080 16_2_05FD9080
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD9DC8 16_2_05FD9DC8
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD9DB9 16_2_05FD9DB9
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD5CD0 16_2_05FD5CD0
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FDE9F8 16_2_05FDE9F8
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD9968 16_2_05FD9968
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD9958 16_2_05FD9958
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FDC8C0 16_2_05FDC8C0
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD9BE0 16_2_05FD9BE0
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD9BD0 16_2_05FD9BD0
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C2218 16_2_062C2218
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C7268 16_2_062C7268
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C3377 16_2_062C3377
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C6B47 16_2_062C6B47
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C0C78 16_2_062C0C78
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C5087 16_2_062C5087
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C90DF 16_2_062C90DF
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062CB970 16_2_062CB970
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C3D5F 16_2_062C3D5F
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C2210 16_2_062C2210
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C9B68 16_2_062C9B68
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C0B4F 16_2_062C0B4F
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C0BA9 16_2_062C0BA9
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_006E20B0 25_2_006E20B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_04E446A0 25_2_04E446A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_04E445B0 25_2_04E445B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_04E4D270 25_2_04E4D270
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_05DB6508 25_2_05DB6508
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_05DB7120 25_2_05DB7120
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_05DB90D8 25_2_05DB90D8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_05DB6850 25_2_05DB6850
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
Sample file is different than original file name gathered from version info
Source: MPO-003234.exe Binary or memory string: OriginalFilename vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000000.227384578.0000000000D65000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameRaj.exeH vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.341301388.0000000006E50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.336807432.00000000050F0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamerqKssByvppSbVMHQvZHbRwnFF.exe4 vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.341162327.0000000006B30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.336933467.0000000005150000.00000002.00000001.sdmp Binary or memory string: originalfilename vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.336933467.0000000005150000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs MPO-003234.exe
Source: MPO-003234.exe Binary or memory string: OriginalFilenameRaj.exeH vs MPO-003234.exe
Uses 32bit PE files
Source: MPO-003234.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/6@0/1
Source: C:\Users\user\Desktop\MPO-003234.exe File created: C:\Users\user\AppData\Roaming\badman.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01
Source: C:\Users\user\Desktop\MPO-003234.exe File created: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: MPO-003234.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MPO-003234.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\MPO-003234.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: MPO-003234.exe Virustotal: Detection: 24%
Source: MPO-003234.exe ReversingLabs: Detection: 19%
Source: MPO-003234.exe String found in binary or memory: icons8-add-48
Source: MPO-003234.exe String found in binary or memory: icons8-add-administrator-50
Source: MPO-003234.exe String found in binary or memory: icons8-add-24
Source: MPO-003234.exe String found in binary or memory: icons8-add-32
Source: badman.exe String found in binary or memory: icons8-add-24
Source: badman.exe String found in binary or memory: icons8-add-32
Source: badman.exe String found in binary or memory: icons8-add-48
Source: badman.exe String found in binary or memory: icons8-add-administrator-50
Source: MPO-003234.exe String found in binary or memory: icons8-add-24
Source: MPO-003234.exe String found in binary or memory: icons8-add-32[
Source: MPO-003234.exe String found in binary or memory: icons8-add-48
Source: MPO-003234.exe String found in binary or memory: 6icons8-add-administrator-50
Source: C:\Users\user\Desktop\MPO-003234.exe File read: C:\Users\user\Desktop\MPO-003234.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\MPO-003234.exe 'C:\Users\user\Desktop\MPO-003234.exe'
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Desktop\MPO-003234.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: MPO-003234.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: MPO-003234.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000002.493071070.00000000006E2000.00000002.00020000.sdmp, zUbDt.exe.25.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, zUbDt.exe.25.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\MPO-003234.exe Code function: 0_2_00CA55FE push FFFFFFD7h; ret 0_2_00CA5608
Source: C:\Users\user\Desktop\MPO-003234.exe Code function: 0_2_00CA558A push FFFFFFD7h; ret 0_2_00CA5578
Source: C:\Users\user\Desktop\MPO-003234.exe Code function: 0_2_00CA5560 push FFFFFFD7h; ret 0_2_00CA5578
Source: C:\Users\user\Desktop\MPO-003234.exe Code function: 0_2_00CA4112 push edx; ret 0_2_00CA4113
Source: C:\Users\user\Desktop\MPO-003234.exe Code function: 0_2_00CA4122 push esi; ret 0_2_00CA4123
Source: C:\Users\user\Desktop\MPO-003234.exe Code function: 0_2_00CA4AE9 push ebp; retf 0_2_00CA4AEA
Source: C:\Users\user\Desktop\MPO-003234.exe Code function: 0_2_00CA3294 push eax; retf 0_2_00CA3295
Source: C:\Users\user\Desktop\MPO-003234.exe Code function: 0_2_00CA3204 push cs; iretd 0_2_00CA3205
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_000C4112 push edx; ret 16_2_000C4113
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_000C4122 push esi; ret 16_2_000C4123
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_000C5560 push FFFFFFD7h; ret 16_2_000C5578
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_000C558A push FFFFFFD7h; ret 16_2_000C5578
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_000C55FE push FFFFFFD7h; ret 16_2_000C5608
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_000C3204 push cs; iretd 16_2_000C3205
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_000C3294 push eax; retf 16_2_000C3295
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_000C4AE9 push ebp; retf 16_2_000C4AEA
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FDA0C4 push ecx; iretd 16_2_05FDA0C6
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_05FD3E22 push ecx; ret 16_2_05FD3E26
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C2E58 pushfd ; retf 16_2_062C2E61
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062CD2F2 push ebp; retf 16_2_062CD2FE
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C2F35 push eax; retf 16_2_062C2F3A
Source: C:\Users\user\AppData\Roaming\badman.exe Code function: 16_2_062C9B58 pushad ; retf 16_2_062C9B65
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_04E4B537 push 6C00005Eh; retf 25_2_04E4B551
Source: MPO-003234.exe, Ed8/Hb5.cs High entropy of concatenated method names: '.ctor', 'a3S', 'Lq4', 't3R', 'Qw5', 'k1P', 'Fb7', 'Me5', 'Tz6', 'a4K'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\MPO-003234.exe File created: C:\Users\user\AppData\Roaming\badman.exe Jump to dropped file
Source: C:\Users\user\Desktop\MPO-003234.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe Jump to dropped file

Boot Survival:

barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDt Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neil Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neil Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDt Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\MPO-003234.exe File opened: C:\Users\user\Desktop\MPO-003234.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe File opened: C:\Users\user\AppData\Roaming\badman.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\MPO-003234.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: Process Memory Space: badman.exe PID: 7052, type: MEMORY
Source: Yara match File source: Process Memory Space: MPO-003234.exe PID: 6584, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\MPO-003234.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\MPO-003234.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\MPO-003234.exe Window / User API: threadDelayed 3943 Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Window / User API: threadDelayed 5674 Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Window / User API: threadDelayed 7599 Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Window / User API: threadDelayed 2127 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 362 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 9461 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6696 Thread sleep count: 3943 > 30 Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6696 Thread sleep count: 5674 > 30 Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 6524 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 2084 Thread sleep count: 7599 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 2084 Thread sleep count: 2127 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 6524 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4792 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4500 Thread sleep count: 362 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4500 Thread sleep count: 9461 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4792 Thread sleep count: 34 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: VMware
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vboxservice
Source: MPO-003234.exe, 00000000.00000002.331497829.0000000003183000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vmware
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vmware usb pointing device
Source: MPO-003234.exe, 00000000.00000002.331497829.0000000003183000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vmware pointing device
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vmware sata
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: MPO-003234.exe, 00000000.00000002.331497829.0000000003183000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V
Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vmware virtual s scsi disk device
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp Binary or memory string: vmware vmci bus device
Source: badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\MPO-003234.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\MPO-003234.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\badman.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\badman.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 820008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\MPO-003234.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Process created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: InstallUtil.exe, 00000019.00000002.497274948.00000000013A0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\MPO-003234.exe Queries volume information: C:\Users\user\Desktop\MPO-003234.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Queries volume information: C:\Users\user\AppData\Roaming\badman.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 25_2_05DB223C GetUserNameW, 25_2_05DB223C
Source: C:\Users\user\Desktop\MPO-003234.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.432317195.0000000003D9C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.336384581.0000000004ACC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: badman.exe PID: 7052, type: MEMORY
Source: Yara match File source: Process Memory Space: MPO-003234.exe PID: 6584, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6980, type: MEMORY
Source: Yara match File source: 0.2.MPO-003234.exe.4b021b8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3ee08b0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3e089da.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4acc202.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4a602a2.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3ee08b0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3eaa8fa.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4acc202.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3e089da.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4a2a2e2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4a2a2e2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3dd2a0a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3e3e99a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.49f4312.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4b021b8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4a602a2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.49f4312.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3eaa8fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3dd2a0a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3e3e99a.4.raw.unpack, type: UNPACKEDPE
Yara detected Credential Stealer
Source: Yara match File source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6980, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.432317195.0000000003D9C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.336384581.0000000004ACC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: badman.exe PID: 7052, type: MEMORY
Source: Yara match File source: Process Memory Space: MPO-003234.exe PID: 6584, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6980, type: MEMORY
Source: Yara match File source: 0.2.MPO-003234.exe.4b021b8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3ee08b0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3e089da.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4acc202.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4a602a2.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3ee08b0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3eaa8fa.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4acc202.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3e089da.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4a2a2e2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4a2a2e2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3dd2a0a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3e3e99a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.49f4312.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4b021b8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.4a602a2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.MPO-003234.exe.49f4312.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3eaa8fa.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3dd2a0a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.badman.exe.3e3e99a.4.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356523 Sample: MPO-003234.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected AgentTesla 2->39 41 Yara detected AntiVM_3 2->41 43 2 other signatures 2->43 7 MPO-003234.exe 15 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\badman.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->29 dropped 31 C:\Users\user\...\badman.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\...\MPO-003234.exe.log, ASCII 7->33 dropped 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->53 11 badman.exe 14 3 7->11         started        15 cmd.exe 1 7->15         started        signatures5 process6 dnsIp7 35 192.168.2.1 unknown unknown 11->35 55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 59 Writes to foreign memory regions 11->59 61 2 other signatures 11->61 17 InstallUtil.exe 2 4 11->17         started        21 reg.exe 1 1 15->21         started        23 conhost.exe 15->23         started        signatures8 process9 file10 25 C:\Users\user\AppData\Roaming\...\zUbDt.exe, PE32 17->25 dropped 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->47 49 Creates multiple autostart registry keys 17->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->51 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.1