Analysis Report New Order.exe

Overview

General Information

Sample Name: New Order.exe
Analysis ID: 356548
MD5: 3e3175667f101af812aa1aca7f4e9a10
SHA1: b46541a9ee94daa1dbc56ff4c6ff5a0824420f55
SHA256: 29b33dfc23c9d0fb7375b09cebd89658ed6b5cc66027512f1f697512209fc50a
Tags: AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: New Order.exe Virustotal: Detection: 27% Perma Link
Source: New Order.exe ReversingLabs: Detection: 14%
Machine Learning detection for sample
Source: New Order.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 13.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: New Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: New Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PDF.exe, 00000005.00000003.323996467.00000000099E4000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000000.322576109.0000000000EB2000.00000002.00020000.sdmp, icloud.exe, 00000012.00000002.401449377.0000000000432000.00000002.00020000.sdmp, icloud.exe, 00000017.00000000.417823011.0000000000D42000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
Source: Binary string: InstallUtil.pdb source: icloud.exe, InstallUtil.exe.5.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 1_2_00BF81CF
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then mov ecx, dword ptr [ebp-00000090h] 1_2_00BF4108
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then mov ecx, dword ptr [ebp-00000090h] 1_2_00BF4108
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then mov ecx, dword ptr [ebp-00000090h] 1_2_00BF4108
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then jmp 00BF47F4h 1_2_00BF4108
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then jmp 00BF47F4h 1_2_00BF40F8
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then jmp 00BF47F4h 1_2_00BF4102
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then mov eax, dword ptr [ebp-2Ch] 1_2_00BF65C3
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 1_2_0839BEF0
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 1_2_0839B7CC
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then push dword ptr [ebp-20h] 1_2_0839C2A8
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 1_2_0839C2A8
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then xor edx, edx 1_2_0839C500
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then push dword ptr [ebp-24h] 1_2_0839C5C8
Source: C:\Users\user\Desktop\New Order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 1_2_0839C5C8
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then mov ecx, dword ptr [ebp-00000090h] 5_2_05704108
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then mov ecx, dword ptr [ebp-00000090h] 5_2_05704108
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then mov ecx, dword ptr [ebp-00000090h] 5_2_05704108
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then jmp 057047F4h 5_2_05704108
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 5_2_057081E0
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then mov eax, dword ptr [ebp-2Ch] 5_2_057065C3
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 5_2_057081CF
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then jmp 057047F4h 5_2_057040F8
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then jmp 057047F4h 5_2_057040FB
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 5_2_0920B7CC
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 5_2_0920BE10
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then xor edx, edx 5_2_0920C500
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 5_2_0920BEF0
Source: InstallUtil.exe, 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InstallUtil.exe, 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: PDF.exe, 00000005.00000003.265815351.00000000014E0000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: New Order.exe, 00000001.00000003.245881659.0000000008B23000.00000004.00000001.sdmp, PDF.exe, 00000005.00000003.276483949.0000000009893000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: PDF.exe, 00000005.00000003.330894365.000000000989B000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g%%
Source: New Order.exe, 00000001.00000003.261518808.0000000008B2B000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g%%A
Source: New Order.exe, 00000001.00000003.245931643.0000000008B23000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/gr
Source: PDF.exe, 00000005.00000003.265815351.00000000014E0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: InstallUtil.exe, 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmp String found in binary or memory: http://opqgus.com
Source: PDF.exe, 00000005.00000002.332738085.00000000032AC000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: New Order.exe, 00000001.00000002.262933915.0000000002451000.00000004.00000001.sdmp, PDF.exe, 00000005.00000002.332678135.0000000003281000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: New Order.exe String found in binary or memory: http://tempuri.org/vmsDataSet1.xsd
Source: InstallUtil.exe, 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: New Order.exe, 00000001.00000002.262933915.0000000002451000.00000004.00000001.sdmp, PDF.exe, 00000005.00000002.332678135.0000000003281000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: New Order.exe String found in binary or memory: https://www.google.com/
Source: New Order.exe, 00000001.00000002.264919115.0000000003E4C000.00000004.00000001.sdmp, PDF.exe, 00000005.00000002.338347944.0000000004C7B000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000002.501527866.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: InstallUtil.exe, 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 13.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b29C1CE56u002d721Fu002d40F6u002d9783u002d468E049369ACu007d/FED7A41Fu002d0D54u002d4DD1u002d8FEEu002d83C13911AD7B.cs Large array initialization: .cctor: array initializer size 11940
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: New Order.exe
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D23A10 CreateProcessAsUserW, 5_2_06D23A10
Detected potential crypto function
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BF61C0 1_2_00BF61C0
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BF4108 1_2_00BF4108
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BFC8E0 1_2_00BFC8E0
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BFB218 1_2_00BFB218
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BF9278 1_2_00BF9278
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BF96A0 1_2_00BF96A0
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BFD760 1_2_00BFD760
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BFBA88 1_2_00BFBA88
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BF5E90 1_2_00BF5E90
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BF40F8 1_2_00BF40F8
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BF61B1 1_2_00BF61B1
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BF4102 1_2_00BF4102
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BFA698 1_2_00BFA698
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BFE688 1_2_00BFE688
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BFF240 1_2_00BFF240
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BF9692 1_2_00BF9692
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BFF8E0 1_2_00BFF8E0
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BFFB18 1_2_00BFFB18
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BFFD90 1_2_00BFFD90
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BF5E50 1_2_00BF5E50
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BFBF88 1_2_00BFBF88
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08392888 1_2_08392888
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08396E50 1_2_08396E50
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_083940D8 1_2_083940D8
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_0839F480 1_2_0839F480
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_083946D8 1_2_083946D8
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08396708 1_2_08396708
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08392878 1_2_08392878
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08397850 1_2_08397850
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08397840 1_2_08397840
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_083938D0 1_2_083938D0
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_083938C1 1_2_083938C1
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08394A78 1_2_08394A78
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08394A88 1_2_08394A88
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08392B38 1_2_08392B38
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08392B29 1_2_08392B29
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08396D8F 1_2_08396D8F
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_0839CD80 1_2_0839CD80
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08396DDC 1_2_08396DDC
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08397EB0 1_2_08397EB0
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08390012 1_2_08390012
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08390040 1_2_08390040
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_083940C8 1_2_083940C8
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08395168 1_2_08395168
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_083972F8 1_2_083972F8
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_083972E9 1_2_083972E9
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_0839D330 1_2_0839D330
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08396671 1_2_08396671
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08396655 1_2_08396655
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_083946C8 1_2_083946C8
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_088A0878 1_2_088A0878
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_088A5A68 1_2_088A5A68
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_088A3B20 1_2_088A3B20
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_088A0869 1_2_088A0869
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_088A1923 1_2_088A1923
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_088A1930 1_2_088A1930
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_088A5A59 1_2_088A5A59
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_088A3B10 1_2_088A3B10
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_088A1CB6 1_2_088A1CB6
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_088A4F70 1_2_088A4F70
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_05704108 5_2_05704108
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_057061C0 5_2_057061C0
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0570C8E0 5_2_0570C8E0
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0570D760 5_2_0570D760
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_057096A0 5_2_057096A0
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_05709278 5_2_05709278
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0570B218 5_2_0570B218
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_05705E90 5_2_05705E90
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0570BA88 5_2_0570BA88
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0570A698 5_2_0570A698
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0570E688 5_2_0570E688
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_057061B1 5_2_057061B1
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_057040FB 5_2_057040FB
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_05709693 5_2_05709693
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0570F240 5_2_0570F240
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0570FD90 5_2_0570FD90
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0570BF88 5_2_0570BF88
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_05705E50 5_2_05705E50
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0570F8E0 5_2_0570F8E0
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0570FB18 5_2_0570FB18
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D20218 5_2_06D20218
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D22858 5_2_06D22858
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D25041 5_2_06D25041
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D20948 5_2_06D20948
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D23EF8 5_2_06D23EF8
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D21F19 5_2_06D21F19
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D21F28 5_2_06D21F28
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D25C70 5_2_06D25C70
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D232E8 5_2_06D232E8
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D21AB0 5_2_06D21AB0
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D21AA3 5_2_06D21AA3
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D20209 5_2_06D20209
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D20939 5_2_06D20939
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09202888 5_2_09202888
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_092040D8 5_2_092040D8
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09206708 5_2_09206708
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09206E50 5_2_09206E50
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_092046D8 5_2_092046D8
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09205168 5_2_09205168
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0920003B 5_2_0920003B
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09202878 5_2_09202878
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09200040 5_2_09200040
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09207840 5_2_09207840
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09207850 5_2_09207850
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_092038C1 5_2_092038C1
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_092040C8 5_2_092040C8
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_092038D0 5_2_092038D0
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09202B29 5_2_09202B29
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0920D330 5_2_0920D330
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09202B38 5_2_09202B38
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09204A78 5_2_09204A78
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09204A88 5_2_09204A88
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_092072E9 5_2_092072E9
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_092072F8 5_2_092072F8
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09206D75 5_2_09206D75
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0920CD80 5_2_0920CD80
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09206D86 5_2_09206D86
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_092077A8 5_2_092077A8
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09206671 5_2_09206671
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09206655 5_2_09206655
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09207EB0 5_2_09207EB0
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_092046C8 5_2_092046C8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 13_2_00EB20B0 13_2_00EB20B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 13_2_017546A0 13_2_017546A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 13_2_017545B0 13_2_017545B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 13_2_064094F8 13_2_064094F8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 13_2_06407538 13_2_06407538
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 13_2_06406920 13_2_06406920
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 13_2_06406C68 13_2_06406C68
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Code function: 18_2_004320B0 18_2_004320B0
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Code function: 18_2_026407C8 18_2_026407C8
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Code function: 23_2_00D420B0 23_2_00D420B0
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Code function: 23_2_016607C8 23_2_016607C8
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\icloud\icloud.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
Sample file is different than original file name gathered from version info
Source: New Order.exe, 00000001.00000002.264919115.0000000003E4C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamexmQIUMxxNnYSaKqwZwqQezLlEfuICPLsF.exe4 vs New Order.exe
Source: New Order.exe, 00000001.00000002.265025827.0000000004460000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs New Order.exe
Source: New Order.exe, 00000001.00000002.264386143.0000000003455000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs New Order.exe
Source: New Order.exe, 00000001.00000002.269278942.0000000005AC0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs New Order.exe
Source: New Order.exe, 00000001.00000002.265189626.00000000044C0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs New Order.exe
Source: New Order.exe, 00000001.00000002.265189626.00000000044C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs New Order.exe
Uses 32bit PE files
Source: New Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 13.2.InstallUtil.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.InstallUtil.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal96.troj.evad.winEXE@9/7@0/1
Source: C:\Users\user\Desktop\New Order.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\PDF.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: New Order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\New Order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New Order.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: New Order.exe Virustotal: Detection: 27%
Source: New Order.exe ReversingLabs: Detection: 14%
Source: New Order.exe String found in binary or memory: icons8-add-24
Source: New Order.exe String found in binary or memory: icons8-add-32
Source: New Order.exe String found in binary or memory: icons8-add-48
Source: New Order.exe String found in binary or memory: icons8-add-administrator-50
Source: PDF.exe String found in binary or memory: icons8-add-24
Source: PDF.exe String found in binary or memory: icons8-add-32
Source: PDF.exe String found in binary or memory: icons8-add-48
Source: PDF.exe String found in binary or memory: icons8-add-administrator-50
Source: New Order.exe String found in binary or memory: icons8-add-24
Source: New Order.exe String found in binary or memory: icons8-add-32[
Source: New Order.exe String found in binary or memory: icons8-add-48
Source: New Order.exe String found in binary or memory: 6icons8-add-administrator-50
Source: New Order.exe String found in binary or memory: icons8-add-32
Source: New Order.exe String found in binary or memory: 7icons8-add-administrator-50
Source: unknown Process created: C:\Users\user\Desktop\New Order.exe 'C:\Users\user\Desktop\New Order.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\PDF.exe 'C:\Users\user\AppData\Local\Temp\PDF.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\icloud\icloud.exe 'C:\Users\user\AppData\Roaming\icloud\icloud.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\icloud\icloud.exe 'C:\Users\user\AppData\Roaming\icloud\icloud.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New Order.exe Process created: C:\Users\user\AppData\Local\Temp\PDF.exe 'C:\Users\user\AppData\Local\Temp\PDF.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: New Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: New Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: PDF.exe, 00000005.00000003.323996467.00000000099E4000.00000004.00000001.sdmp, InstallUtil.exe, 0000000D.00000000.322576109.0000000000EB2000.00000002.00020000.sdmp, icloud.exe, 00000012.00000002.401449377.0000000000432000.00000002.00020000.sdmp, icloud.exe, 00000017.00000000.417823011.0000000000D42000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
Source: Binary string: InstallUtil.pdb source: icloud.exe, InstallUtil.exe.5.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_0002576D push 20060000h; retn 0001h 1_2_00025773
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_00BF9FCA push ecx; ret 1_2_00BF9FCE
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08393E14 push ebx; retf 1_2_08393E16
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08393E0A push ebx; retf 1_2_08393E0C
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_08393105 push eax; ret 1_2_08393107
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_0839033C push ecx; iretd 1_2_0839033E
Source: C:\Users\user\Desktop\New Order.exe Code function: 1_2_088A2468 push edi; ret 1_2_088A2489
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_00D3576D push 20060000h; retn 0001h 5_2_00D35773
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D2764A push es; iretd 5_2_06D278BC
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D27664 push es; iretd 5_2_06D278BC
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D27613 push es; iretd 5_2_06D278BC
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D274F1 push es; iretd 5_2_06D278BC
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D27498 push es; iretd 5_2_06D278BC
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D2745F push es; iretd 5_2_06D278BC
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D27585 push es; iretd 5_2_06D278BC
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D275BB push es; iretd 5_2_06D278BC
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_06D273C8 push es; iretd 5_2_06D278BC
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09203105 push eax; ret 5_2_09203107
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_0920033C push ecx; iretd 5_2_0920033E
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09207C00 pushfd ; ret 5_2_09207C91
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09203E0A push ebx; retf 5_2_09203E0C
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Code function: 5_2_09203E14 push ebx; retf 5_2_09203E16
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 13_2_0640A61F push es; iretd 13_2_0640A63C
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 13_2_0640C320 push es; ret 13_2_0640C330
Source: New Order.exe, k5R/c5S.cs High entropy of concatenated method names: '.ctor', 'w5Z', 'q7A', 'Rc0', 'Wa2', 'Sz9', 'm7R', 'q1R', 'p1G', 't0H'
Source: New Order.exe, Qt6/Yk9.cs High entropy of concatenated method names: '.ctor', 'Mb0', 'a4G', 'n8Y', 'Pk4', 'm5J', 't6J', 'Lc3', 'Yd1', 'j0G'
Source: 1.0.New Order.exe.20000.0.unpack, Qt6/Yk9.cs High entropy of concatenated method names: '.ctor', 'Mb0', 'a4G', 'n8Y', 'Pk4', 'm5J', 't6J', 'Lc3', 'Yd1', 'j0G'
Source: 1.0.New Order.exe.20000.0.unpack, k5R/c5S.cs High entropy of concatenated method names: '.ctor', 'w5Z', 'q7A', 'Rc0', 'Wa2', 'Sz9', 'm7R', 'q1R', 'p1G', 't0H'
Source: 1.2.New Order.exe.20000.0.unpack, Qt6/Yk9.cs High entropy of concatenated method names: '.ctor', 'Mb0', 'a4G', 'n8Y', 'Pk4', 'm5J', 't6J', 'Lc3', 'Yd1', 'j0G'
Source: 1.2.New Order.exe.20000.0.unpack, k5R/c5S.cs High entropy of concatenated method names: '.ctor', 'w5Z', 'q7A', 'Rc0', 'Wa2', 'Sz9', 'm7R', 'q1R', 'p1G', 't0H'
Source: 5.0.PDF.exe.d30000.0.unpack, Qt6/Yk9.cs High entropy of concatenated method names: '.ctor', 'Mb0', 'a4G', 'n8Y', 'Pk4', 'm5J', 't6J', 'Lc3', 'Yd1', 'j0G'
Source: 5.0.PDF.exe.d30000.0.unpack, k5R/c5S.cs High entropy of concatenated method names: '.ctor', 'w5Z', 'q7A', 'Rc0', 'Wa2', 'Sz9', 'm7R', 'q1R', 'p1G', 't0H'
Source: 5.2.PDF.exe.d30000.0.unpack, k5R/c5S.cs High entropy of concatenated method names: '.ctor', 'w5Z', 'q7A', 'Rc0', 'Wa2', 'Sz9', 'm7R', 'q1R', 'p1G', 't0H'
Source: 5.2.PDF.exe.d30000.0.unpack, Qt6/Yk9.cs High entropy of concatenated method names: '.ctor', 'Mb0', 'a4G', 'n8Y', 'Pk4', 'm5J', 't6J', 'Lc3', 'Yd1', 'j0G'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File created: C:\Users\user\AppData\Roaming\icloud\icloud.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\PDF.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run icloud Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run icloud Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\New Order.exe File opened: C:\Users\user\Desktop\New Order.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe File opened: C:\Users\user\AppData\Local\Temp\PDF.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\icloud\icloud.exe:Zone.Identifier read attributes | delete Jump to behavior
Moves itself to temp directory
Source: c:\users\user\desktop\new order.exe File moved: C:\Users\user\AppData\Local\Temp\PDF.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\New Order.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\New Order.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\New Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Window / User API: threadDelayed 1637 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Window / User API: threadDelayed 8074 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 3124 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 6667 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\New Order.exe TID: 6476 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 6500 Thread sleep count: 170 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 6500 Thread sleep count: 113 > 30 Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 6416 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 6408 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe TID: 6892 Thread sleep time: -21213755684765971s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe TID: 6904 Thread sleep count: 1637 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe TID: 6904 Thread sleep count: 8074 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7016 Thread sleep time: -23980767295822402s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7020 Thread sleep count: 3124 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7020 Thread sleep count: 6667 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7016 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe TID: 800 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe TID: 1544 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: VMware
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vboxservice
Source: New Order.exe, 00000001.00000002.263147946.00000000024FD000.00000004.00000001.sdmp, PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: InstallUtil.exe, 0000000D.00000002.508591702.0000000006270000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vmware
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vmware usb pointing device
Source: New Order.exe, 00000001.00000002.263147946.00000000024FD000.00000004.00000001.sdmp, PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vmware pointing device
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vmware sata
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: New Order.exe, 00000001.00000002.263147946.00000000024FD000.00000004.00000001.sdmp, PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: Microsoft Hyper-V
Source: InstallUtil.exe, 0000000D.00000002.508591702.0000000006270000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vmware virtual s scsi disk device
Source: InstallUtil.exe, 0000000D.00000002.508591702.0000000006270000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PDF.exe, 00000005.00000002.332854439.000000000332D000.00000004.00000001.sdmp Binary or memory string: vmware vmci bus device
Source: InstallUtil.exe, 0000000D.00000002.508591702.0000000006270000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\New Order.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\New Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 1176008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\New Order.exe Process created: C:\Users\user\AppData\Local\Temp\PDF.exe 'C:\Users\user\AppData\Local\Temp\PDF.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: InstallUtil.exe, 0000000D.00000002.504929735.0000000001D10000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 0000000D.00000002.504929735.0000000001D10000.00000002.00000001.sdmp Binary or memory string: Progman
Source: InstallUtil.exe, 0000000D.00000002.504929735.0000000001D10000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: InstallUtil.exe, 0000000D.00000002.504929735.0000000001D10000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: InstallUtil.exe, 0000000D.00000002.504929735.0000000001D10000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\New Order.exe Queries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Queries volume information: C:\Users\user\AppData\Local\Temp\PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\PDF.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Queries volume information: C:\Users\user\AppData\Roaming\icloud\icloud.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Queries volume information: C:\Users\user\AppData\Roaming\icloud\icloud.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\icloud\icloud.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 13_2_06402654 GetUserNameW, 13_2_06402654
Source: C:\Users\user\Desktop\New Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.338347944.0000000004C7B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.264919115.0000000003E4C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.338213268.0000000004B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.338414554.0000000004CEF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.501527866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.264714303.0000000003D3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PDF.exe PID: 6764, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order.exe PID: 6368, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3092, type: MEMORY
Source: Yara match File source: 1.2.New Order.exe.3de048a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4c7bd62.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3de048a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3e82700.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4bd9ae2.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4ba39f2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4ba39f2.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3d742ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4c0fbc2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3daa3aa.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4cb1e38.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3e4c62a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4c0fbc2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4bd9ae2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3d742ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4cb1e38.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3daa3aa.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3e82700.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3e4c62a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4c7bd62.7.raw.unpack, type: UNPACKEDPE
Yara detected Credential Stealer
Source: Yara match File source: 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3092, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.338347944.0000000004C7B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.264919115.0000000003E4C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.338213268.0000000004B6D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.338414554.0000000004CEF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.501527866.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.264714303.0000000003D3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.505455103.00000000032B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PDF.exe PID: 6764, type: MEMORY
Source: Yara match File source: Process Memory Space: New Order.exe PID: 6368, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 3092, type: MEMORY
Source: Yara match File source: 1.2.New Order.exe.3de048a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4c7bd62.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3de048a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3e82700.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4bd9ae2.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4ba39f2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4ba39f2.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3d742ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4c0fbc2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3daa3aa.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4cb1e38.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3e4c62a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4c0fbc2.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4bd9ae2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3d742ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4cb1e38.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3daa3aa.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3e82700.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.New Order.exe.3e4c62a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PDF.exe.4c7bd62.7.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356548 Sample: New Order.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 96 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected AgentTesla 2->46 48 .NET source code contains very large array initializations 2->48 50 2 other signatures 2->50 7 New Order.exe 15 4 2->7         started        12 icloud.exe 4 2->12         started        14 icloud.exe 3 2->14         started        process3 dnsIp4 34 192.168.2.1 unknown unknown 7->34 30 C:\Users\user\AppData\...30ew Order.exe.log, ASCII 7->30 dropped 52 Moves itself to temp directory 7->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->54 16 PDF.exe 14 4 7->16         started        20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        file5 signatures6 process7 file8 28 C:\Users\user\AppData\...\InstallUtil.exe, PE32 16->28 dropped 36 Writes to foreign memory regions 16->36 38 Allocates memory in foreign processes 16->38 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->40 42 Injects a PE file into a foreign processes 16->42 24 InstallUtil.exe 2 4 16->24         started        signatures9 process10 file11 32 C:\Users\user\AppData\Roaming\...\icloud.exe, PE32 24->32 dropped 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->56 58 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->60 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
192.168.2.1