Play interactive tour

Edit tour

Analysis Report MPO-003234.exe

Overview

General Information

Sample Name:	MPO-003234.exe
Analysis ID:	356523
MD5:	8bc8526fbaafbac33118ee652ac97da6
SHA1:	7b23c7209b8f37bb32803971c36ab706b4a8e34d
SHA256:	cfe1f69c2984de3f5d476db3ce45aa4d95a8137f0ff1ba07c1b0cecf15075c93
Tags:	exe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains very large array initializations

Creates multiple autostart registry keys

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara detected Credential Stealer

Classification

Startup

System is w10x64

MPO-003234.exe (PID: 6584 cmdline: 'C:\Users\user\Desktop\MPO-003234.exe' MD5: 8BC8526FBAAFBAC33118EE652AC97DA6)

cmd.exe (PID: 6720 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6764 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)

badman.exe (PID: 7052 cmdline: 'C:\Users\user\AppData\Roaming\badman.exe' MD5: 8BC8526FBAAFBAC33118EE652AC97DA6)

InstallUtil.exe (PID: 6980 cmdline: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.432224674.0000000003D39000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.432317195.0000000003D9C000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.336384581.0000000004ACC000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: badman.exe PID: 7052	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: badman.exe PID: 7052	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MPO-003234.exe PID: 6584	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MPO-003234.exe PID: 6584	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 6980	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 6980	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.MPO-003234.exe.4b021b8.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.badman.exe.3ee08b0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.badman.exe.3e089da.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.MPO-003234.exe.4acc202.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.MPO-003234.exe.4a602a2.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
25.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.badman.exe.3ee08b0.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.badman.exe.3eaa8fa.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.MPO-003234.exe.4acc202.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.badman.exe.3e089da.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.MPO-003234.exe.4a2a2e2.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.MPO-003234.exe.4a2a2e2.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.badman.exe.3dd2a0a.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.badman.exe.3e3e99a.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.MPO-003234.exe.49f4312.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.MPO-003234.exe.4b021b8.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.MPO-003234.exe.4a602a2.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.MPO-003234.exe.49f4312.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.badman.exe.3eaa8fa.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.badman.exe.3dd2a0a.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.badman.exe.3e3e99a.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 16 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\badman.exe

ReversingLabs: Detection: 19%

Multi AV Scanner detection for submitted file

Show sources

Source: MPO-003234.exe	Virustotal: Detection: 24%			Perma Link
Source: MPO-003234.exe	ReversingLabs: Detection: 19%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\badman.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: MPO-003234.exe

Joe Sandbox ML: detected

Source: 25.2.InstallUtil.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: MPO-003234.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: MPO-003234.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Show sources

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000002.493071070.00000000006E2000.00000002.00020000.sdmp, zUbDt.exe.25.dr
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, zUbDt.exe.25.dr

Networking:

Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426779004.00000000009D7000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: MPO-003234.exe, 00000000.00000003.238538980.0000000009BE4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adb
Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1p
Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmp, badman.exe, 00000010.00000003.347728528.0000000009035000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: badman.exe, 00000010.00000003.422941176.000000000903D000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g%%
Source: badman.exe, 00000010.00000003.347207533.0000000009035000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g5~
Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/gp
Source: MPO-003234.exe, 00000000.00000003.329342490.0000000009BEB000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: MPO-003234.exe, 00000000.00000003.238711117.0000000009BE4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobjp
Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426779004.00000000009D7000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: MPO-003234.exe, 00000000.00000003.307888382.0000000001385000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: MPO-003234.exe, 00000000.00000002.331426011.0000000003102000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427101971.00000000024E2000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp	String found in binary or memory: http://wqDPxI.com
Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: MPO-003234.exe, 00000000.00000003.307873312.000000000136A000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426421947.000000000092D000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: MPO-003234.exe, 00000000.00000002.331380288.00000000030D1000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.426997303.00000000024B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: MPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.432474443.0000000003EAA000.00000004.00000001.sdmp, InstallUtil.exe, 00000019.00000002.492241366.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: InstallUtil.exe, 00000019.00000002.497669421.00000000029B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: badman.exe, 00000010.00000002.426259290.00000000008F8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Show sources

Source: MPO-003234.exe, c3R/Xn4.cs

Large array initialization: .cctor: array initializer size 10710

Source: C:\Users\user\AppData\Roaming\badman.exe

Code function: 16_2_062C2E0C CreateProcessAsUserW,

16_2_062C2E0C

Source: C:\Users\user\Desktop\MPO-003234.exe	Code function: 0_2_00CA366F	0_2_00CA366F
Source: C:\Users\user\Desktop\MPO-003234.exe	Code function: 0_2_014ACD20	0_2_014ACD20
Source: C:\Users\user\Desktop\MPO-003234.exe	Code function: 0_2_014AFCE0	0_2_014AFCE0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_000C366F	16_2_000C366F
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_0088FCE0	16_2_0088FCE0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD75B0	16_2_05FD75B0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD34F8	16_2_05FD34F8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD5470	16_2_05FD5470
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FDF748	16_2_05FDF748
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD6730	16_2_05FD6730
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FDE648	16_2_05FDE648
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FDC610	16_2_05FDC610
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD5CE0	16_2_05FD5CE0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FDDE60	16_2_05FDDE60
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD7566	16_2_05FD7566
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD44F0	16_2_05FD44F0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD34E8	16_2_05FD34E8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD44E0	16_2_05FD44E0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD84D8	16_2_05FD84D8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD74DB	16_2_05FD74DB
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD84CA	16_2_05FD84CA
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD5461	16_2_05FD5461
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD9730	16_2_05FD9730
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD6720	16_2_05FD6720
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD9720	16_2_05FD9720
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FDD658	16_2_05FDD658
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD61E0	16_2_05FD61E0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD61D2	16_2_05FD61D2
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD9090	16_2_05FD9090
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD9080	16_2_05FD9080
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD9DC8	16_2_05FD9DC8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD9DB9	16_2_05FD9DB9
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD5CD0	16_2_05FD5CD0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FDE9F8	16_2_05FDE9F8
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD9968	16_2_05FD9968
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD9958	16_2_05FD9958
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FDC8C0	16_2_05FDC8C0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD9BE0	16_2_05FD9BE0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD9BD0	16_2_05FD9BD0
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C2218	16_2_062C2218
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C7268	16_2_062C7268
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C3377	16_2_062C3377
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C6B47	16_2_062C6B47
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C0C78	16_2_062C0C78
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C5087	16_2_062C5087
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C90DF	16_2_062C90DF
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062CB970	16_2_062CB970
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C3D5F	16_2_062C3D5F
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C2210	16_2_062C2210
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C9B68	16_2_062C9B68
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C0B4F	16_2_062C0B4F
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C0BA9	16_2_062C0BA9
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 25_2_006E20B0	25_2_006E20B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 25_2_04E446A0	25_2_04E446A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 25_2_04E445B0	25_2_04E445B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 25_2_04E4D270	25_2_04E4D270
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 25_2_05DB6508	25_2_05DB6508
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 25_2_05DB7120	25_2_05DB7120
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 25_2_05DB90D8	25_2_05DB90D8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 25_2_05DB6850	25_2_05DB6850

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB

Source: MPO-003234.exe	Binary or memory string: OriginalFilename vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000000.227384578.0000000000D65000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRaj.exeH vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.341301388.0000000006E50000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.336807432.00000000050F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.334911428.00000000049BE000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamerqKssByvppSbVMHQvZHbRwnFF.exe4 vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.341162327.0000000006B30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.336933467.0000000005150000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs MPO-003234.exe
Source: MPO-003234.exe, 00000000.00000002.336933467.0000000005150000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs MPO-003234.exe
Source: MPO-003234.exe	Binary or memory string: OriginalFilenameRaj.exeH vs MPO-003234.exe

Source: MPO-003234.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/6@0/1

Source: C:\Users\user\Desktop\MPO-003234.exe

File created: C:\Users\user\AppData\Roaming\badman.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01

Source: C:\Users\user\Desktop\MPO-003234.exe

File created: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe

Jump to behavior

Source: MPO-003234.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MPO-003234.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\MPO-003234.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MPO-003234.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\MPO-003234.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: MPO-003234.exe	Virustotal: Detection: 24%
Source: MPO-003234.exe	ReversingLabs: Detection: 19%

Source: MPO-003234.exe	String found in binary or memory: icons8-add-48
Source: MPO-003234.exe	String found in binary or memory: icons8-add-administrator-50
Source: MPO-003234.exe	String found in binary or memory: icons8-add-24
Source: MPO-003234.exe	String found in binary or memory: icons8-add-32
Source: badman.exe	String found in binary or memory: icons8-add-24
Source: badman.exe	String found in binary or memory: icons8-add-32
Source: badman.exe	String found in binary or memory: icons8-add-48
Source: badman.exe	String found in binary or memory: icons8-add-administrator-50
Source: MPO-003234.exe	String found in binary or memory: icons8-add-24
Source: MPO-003234.exe	String found in binary or memory: icons8-add-32[
Source: MPO-003234.exe	String found in binary or memory: icons8-add-48
Source: MPO-003234.exe	String found in binary or memory: 6icons8-add-administrator-50

Source: C:\Users\user\Desktop\MPO-003234.exe

File read: C:\Users\user\Desktop\MPO-003234.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MPO-003234.exe 'C:\Users\user\Desktop\MPO-003234.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Desktop\MPO-003234.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process created: C:\Users\user\AppData\Roaming\badman.exe 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'neil' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\badman.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe	Jump to behavior

Source: C:\Users\user\Desktop\MPO-003234.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\MPO-003234.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MPO-003234.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MPO-003234.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000002.493071070.00000000006E2000.00000002.00020000.sdmp, zUbDt.exe.25.dr
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, zUbDt.exe.25.dr

Data Obfuscation:

Source: C:\Users\user\Desktop\MPO-003234.exe	Code function: 0_2_00CA55FE push FFFFFFD7h; ret	0_2_00CA5608
Source: C:\Users\user\Desktop\MPO-003234.exe	Code function: 0_2_00CA558A push FFFFFFD7h; ret	0_2_00CA5578
Source: C:\Users\user\Desktop\MPO-003234.exe	Code function: 0_2_00CA5560 push FFFFFFD7h; ret	0_2_00CA5578
Source: C:\Users\user\Desktop\MPO-003234.exe	Code function: 0_2_00CA4112 push edx; ret	0_2_00CA4113
Source: C:\Users\user\Desktop\MPO-003234.exe	Code function: 0_2_00CA4122 push esi; ret	0_2_00CA4123
Source: C:\Users\user\Desktop\MPO-003234.exe	Code function: 0_2_00CA4AE9 push ebp; retf	0_2_00CA4AEA
Source: C:\Users\user\Desktop\MPO-003234.exe	Code function: 0_2_00CA3294 push eax; retf	0_2_00CA3295
Source: C:\Users\user\Desktop\MPO-003234.exe	Code function: 0_2_00CA3204 push cs; iretd	0_2_00CA3205
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_000C4112 push edx; ret	16_2_000C4113
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_000C4122 push esi; ret	16_2_000C4123
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_000C5560 push FFFFFFD7h; ret	16_2_000C5578
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_000C558A push FFFFFFD7h; ret	16_2_000C5578
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_000C55FE push FFFFFFD7h; ret	16_2_000C5608
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_000C3204 push cs; iretd	16_2_000C3205
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_000C3294 push eax; retf	16_2_000C3295
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_000C4AE9 push ebp; retf	16_2_000C4AEA
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FDA0C4 push ecx; iretd	16_2_05FDA0C6
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_05FD3E22 push ecx; ret	16_2_05FD3E26
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C2E58 pushfd ; retf	16_2_062C2E61
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062CD2F2 push ebp; retf	16_2_062CD2FE
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C2F35 push eax; retf	16_2_062C2F3A
Source: C:\Users\user\AppData\Roaming\badman.exe	Code function: 16_2_062C9B58 pushad ; retf	16_2_062C9B65
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 25_2_04E4B537 push 6C00005Eh; retf	25_2_04E4B551

Source: MPO-003234.exe, Ed8/Hb5.cs

High entropy of concatenated method names: '.ctor', 'a3S', 'Lq4', 't3R', 'Qw5', 'k1P', 'Fb7', 'Me5', 'Tz6', 'a4K'

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\MPO-003234.exe	File created: C:\Users\user\AppData\Roaming\badman.exe	Jump to dropped file
Source: C:\Users\user\Desktop\MPO-003234.exe	File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe	Jump to dropped file

Boot Survival:

Creates multiple autostart registry keys

Show sources

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDt			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neil			Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neil	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run neil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDt	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\MPO-003234.exe	File opened: C:\Users\user\Desktop\MPO-003234.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	File opened: C:\Users\user\AppData\Roaming\badman.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\zUbDt\zUbDt.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\MPO-003234.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: Process Memory Space: badman.exe PID: 7052, type: MEMORY
Source: Yara match	File source: Process Memory Space: MPO-003234.exe PID: 6584, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\MPO-003234.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\MPO-003234.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\MPO-003234.exe	Window / User API: threadDelayed 3943	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe	Window / User API: threadDelayed 5674	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Window / User API: threadDelayed 7599	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe	Window / User API: threadDelayed 2127	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 362	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 9461	Jump to behavior

Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6696	Thread sleep count: 3943 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6696	Thread sleep count: 5674 > 30	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\MPO-003234.exe TID: 6680	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 6524	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 2084	Thread sleep count: 7599 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 2084	Thread sleep count: 2127 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\badman.exe TID: 6524	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4792	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4500	Thread sleep count: 362 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4500	Thread sleep count: 9461 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 4792	Thread sleep count: 34 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: MPO-003234.exe, 00000000.00000002.331497829.0000000003183000.00000004.00000001.sdmp, badman.exe, 00000010.00000002.427188723.0000000002563000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: MPO-003234.exe, 00000000.00000002.340962321.0000000006140000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.242078928.00000000011D0000.00000002.00000001.sdmp, badman.exe, 00000010.00000002.433984581.0000000005580000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.502507396.0000000005AC0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine cou

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report MPO-003234.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion: