Loading ...

Play interactive tourEdit tour

Analysis Report Q1xEDBAmY5

Overview

General Information

Sample Name:Q1xEDBAmY5 (renamed file extension from none to exe)
Analysis ID:377652
MD5:7d4550dd4c6996057147ecc996b14e9a
SHA1:d0d68281f8459b5558559fbbf8c6c8ab4ddfec8b
SHA256:ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d
Infos:

Most interesting Screenshot:

Detection

Hades Ransomware
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Hades Ransomware
Deletes shadow drive data (may be related to ransomware)
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found large amount of non-executed APIs
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Q1xEDBAmY5.exe (PID: 5032 cmdline: 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' MD5: 7D4550DD4C6996057147ECC996B14E9A)
    • Unistore (PID: 1752 cmdline: C:\Users\user\AppData\Roaming\TextNotepad\Unistore /go MD5: 7D4550DD4C6996057147ECC996B14E9A)
      • cmd.exe (PID: 4844 cmdline: cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & del 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & rd 'C:\Users\user\AppData\Roaming\TextNotepad\' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 3528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • waitfor.exe (PID: 2076 cmdline: waitfor /t 10 pause /d y MD5: 9509EC0B3D20348D129183021BF38BBB)
        • attrib.exe (PID: 3576 cmdline: attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' MD5: FDC601145CD289C6FBC96D3F805F3CD7)
    • cmd.exe (PID: 5112 cmdline: cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & del 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & rd 'C:\Users\user\Desktop\' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • waitfor.exe (PID: 1752 cmdline: waitfor /t 10 pause /d y MD5: 9509EC0B3D20348D129183021BF38BBB)
      • attrib.exe (PID: 5656 cmdline: attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' MD5: FDC601145CD289C6FBC96D3F805F3CD7)
  • cleanup

Malware Configuration

Threatname: Hades Ransomware

[+] What happened? [+]Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.gn9cjBy the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practiAe - time is much more valuable than money.[+] How to get access on website? [+]Using a TOR browser!  - Download and install TOR browser from this site: hxxps:\/\/torproject.org/  - Open our website: hxxp:\/\/khfsk3ffg3av3rha.onion  - Follow the on-screen instructionsExtension name:*.gn9cj-----------------------------------------------------------------------------------------!!! DANGER !!!DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.!!! !!! !!!ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere.!!! !!! !!!

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Unistore PID: 1752JoeSecurity_HadesRansomwareYara detected Hades RansomwareJoe Security
    Process Memory Space: Q1xEDBAmY5.exe PID: 5032JoeSecurity_HadesRansomwareYara detected Hades RansomwareJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: HOW-TO-DECRYPT-gn9cj.txt5.1.dr.binstrMalware Configuration Extractor: Hades Ransomware [+] What happened? [+]Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.gn9cjBy the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practiAe - time is much more valuable than money.[+] How to get access on website? [+]Using a TOR browser! - Download and install TOR browser from this site: hxxps:\/\/torproject.org/ - Open our website: hxxp:\/\/khfsk3ffg3av3rha.onion - Follow the on-screen instructionsExtension name:*.gn9cj-----------------------------------------------------------------------------------------!!! DANGER !!!DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.!!! !!! !!!ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere.!!! !!! !!!
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreMetadefender: Detection: 50%Perma Link
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreReversingLabs: Detection: 82%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Q1xEDBAmY5.exeMetadefender: Detection: 50%Perma Link
      Source: Q1xEDBAmY5.exeReversingLabs: Detection: 82%

      Compliance:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeUnpacked PE file: 0.2.Q1xEDBAmY5.exe.140000000.2.unpack
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreUnpacked PE file: 1.2.Unistore.140000000.2.unpack
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401B86FF GetLogicalDriveStringsW,HeapAlloc,GetLogicalDriveStringsW,lstrlenW,QueryDosDeviceW,lstrlenW,StrCmpNIW,HeapFree,0_2_00000001401B86FF

      Spam, unwanted Advertisements and Ransom Demands:

      barindex
      Found ransom note / readmeShow sources
      Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txtDropped file: [+] What happened? [+]Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.gn9cjBy the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practiAe - time is much more valuable than money.[+] How to get access on website? [+]Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: hxxp://khfsk3ffg3av3rha.onion - Follow the on-screen instructionsExtension name:*.gn9cj-----------------------------------------------------------------------------------------!!! DANGER !!!DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.!!! !!! !!!ONE MORE TIME: Its in your interests to get your files Jump to dropped file
      Yara detected Hades RansomwareShow sources
      Source: Yara matchFile source: Process Memory Space: Unistore PID: 1752, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Q1xEDBAmY5.exe PID: 5032, type: MEMORY
      Deletes shadow drive data (may be related to ransomware)Show sources
      Source: Q1xEDBAmY5.exeBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: Q1xEDBAmY5.exe, 00000000.00000003.351265737.0000000002790000.00000004.00000040.sdmpBinary or memory string: *.exe|*.dll\\?\CryptAcquireContextWadvapi32Low\CryptReleaseContextkernel32ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%appdata%\|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq\BaseNamedObjects\\REGISTRY\USERCryptGenRandomConvertStringSecurityDescriptorToSecurityDescriptorW%SWow64EnableWow64FsRedirectionFloppyMicrosoft Corporation. All rights reserved.system32\REGISTRY\MACHINE\SOFTWARE\Microsoftcmd /c waitfor /t %u pause /d y & attrib -h "%s" & del "%s" & rd "%s"osk.exemsconfig.exewmic process call create "%s" > nul && exitConsoleWindowClass-5#32770en-USSysListView32List1%uvssadmin.exe Delete Shadows /All /Quiet/user/prio/path/uac/go%s - %u
      Source: UnistoreBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
      Source: Unistore, 00000001.00000003.347686759.0000000002740000.00000004.00000040.sdmpBinary or memory string: *.exe|*.dll\\?\CryptAcquireContextWadvapi32Low\CryptReleaseContextkernel32ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%appdata%\|$$$}rstuvwxyz{$$$$$$$>?@ABCDEFGHIJKLMNOPQRSTUVW$$$$$$XYZ[\]^_`abcdefghijklmnopq\BaseNamedObjects\\REGISTRY\USERCryptGenRandomConvertStringSecurityDescriptorToSecurityDescriptorW%SWow64EnableWow64FsRedirectionFloppyMicrosoft Corporation. All rights reserved.system32\REGISTRY\MACHINE\SOFTWARE\Microsoftcmd /c waitfor /t %u pause /d y & attrib -h "%s" & del "%s" & rd "%s"osk.exemsconfig.exewmic process call create "%s" > nul && exitConsoleWindowClass-5#32770en-USSysListView32List1%uvssadmin.exe Delete Shadows /All /Quiet/user/prio/path/uac/go%s - %u
      May encrypt documents and pictures (Ransomware)Show sources
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-0011-0000-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-0016-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-0018-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-0019-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-001a-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-001b-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.en\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.es\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\proof.fr\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-002c-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-0044-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-0090-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-00a1-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-00ba-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-00e1-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-00e2-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-0115-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-0116-0409-1000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-0117-0409-0000-0000000ff1ce}-c\access.en-us\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-0117-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\msocache\all users\{90160000-012b-0409-0000-0000000ff1ce}-c\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\default\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\desktop\bpmlnobvsb\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\desktop\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\desktop\nikhqaiqau\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\desktop\zbedcjpbey\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\documents\bpmlnobvsb\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\documents\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\documents\nikhqaiqau\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\documents\zbedcjpbey\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\downloads\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\favorites\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\user\searches\how-to-decrypt-gn9cj.txtJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile created: c:\users\public\libraries\how-to-decrypt-gn9cj.txtJump to behavior
      Modifies existing user documents (likely ransomware behavior)Show sources
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile moved: C:\Users\user\Desktop\BPMLNOBVSB\MXPXCVPDVN.jpgJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile moved: C:\Users\user\Desktop\NIKHQAIQAU\SQRKHNBNYN.pngJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile moved: C:\Users\user\Desktop\ZTGJILHXQB.jpgJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile moved: C:\Users\user\Desktop\GAOBCVIQIJ.mp3Jump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreFile moved: C:\Users\user\Desktop\ZBEDCJPBEY\RAYHIWGKDI.jpgJump to behavior
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0000000140004DE4 lstrlenW,HeapAlloc,PathFindFileNameW,lstrcpyW,ZwClose,lstrcpyW,HeapFree,0_2_0000000140004DE4
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0000000140008FD8 RtlInitUnicodeString,RtlpNtOpenKey,RtlNtStatusToDosError,NtEnumerateKey,RtlNtStatusToDosError,NtClose,0_2_0000000140008FD8
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401B8494 RtlDosPathNameToNtPathName_U,HeapAlloc,RtlDosPathNameToNtPathName_U,ZwSetInformationFile,RtlNtStatusToDosError,ZwClose,HeapFree,RtlFreeUnicodeString,0_2_00000001401B8494
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_000000014000293C ZwQueryVirtualMemory,HeapAlloc,ZwQueryVirtualMemory,RtlNtStatusToDosError,HeapFree,RtlNtStatusToDosError,0_2_000000014000293C
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401C0D0F lstrcatW,RtlDosPathNameToNtPathName_U,RtlDosPathNameToNtPathName_U,ZwClose,0_2_00000001401C0D0F
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401B8D30 EnterCriticalSection,HeapFree,LeaveCriticalSection,DeleteCriticalSection,ZwClose,0_2_00000001401B8D30
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401BC979 ZwQueryInformationFile,ZwSetInformationFile,RtlNtStatusToDosError,0_2_00000001401BC979
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401C296F RtlDosPathNameToNtPathName_U,ZwSetInformationFile,RtlNtStatusToDosError,ZwClose,0_2_00000001401C296F
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401BF96E ZwQueryInformationFile,RtlNtStatusToDosError,ZwSetInformationFile,RtlNtStatusToDosError,0_2_00000001401BF96E
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401BB247 ZwCreateEvent,0_2_00000001401BB247
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401BFA90 ZwCreateSection,ZwMapViewOfSection,RtlNtStatusToDosError,ZwClose,RtlNtStatusToDosError,ZwUnmapViewOfSection,ZwMapViewOfSection,RtlNtStatusToDosError,ZwUnmapViewOfSection,ZwClose,0_2_00000001401BFA90
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001400082B0 PathCombineW,PathCombineW,HeapFree,StrTrimW,_wcslwr,_wcslwr,lstrcmpW,StrTrimW,lstrlenW,lstrlenW,HeapAlloc,_wcslwr,lstrcpyW,lstrcpyW,HeapFree,lstrcmpW,lstrcmpW,StrTrimW,StrTrimW,lstrcmpW,_snwprintf,_snwprintf,ZwClose,0_2_00000001400082B0
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401B6AA9 ZwCreateFile,RtlNtStatusToDosError,ZwQueryDirectoryFile,RtlNtStatusToDosError,WaitForSingleObject,ZwClose,HeapFree,0_2_00000001401B6AA9
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401BBADF ZwWriteFile,RtlNtStatusToDosError,0_2_00000001401BBADF
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401BD6E7 HeapAlloc,RtlDosPathNameToNtPathName_U,ZwSetInformationFile,RtlNtStatusToDosError,ZwClose,HeapFree,0_2_00000001401BD6E7
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401C2B01 ZwCreateFile,RtlNtStatusToDosError,RtlFreeUnicodeString,0_2_00000001401C2B01
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401BA75C RtlDosPathNameToNtPathName_U,GetFileAttributesW,SetFileAttributesW,RtlDosPathNameToNtPathName_U,HeapAlloc,HeapFree,ZwClose,SetFileAttributesW,0_2_00000001401BA75C
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401C0FD6 ZwQueryInformationFile,RtlNtStatusToDosError,0_2_00000001401C0FD6
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401B8494 RtlDosPathNameToNtPathName_U,RtlAllocateHeap,RtlDosPathNameToNtPathName_U,NtSetInformationFile,RtlNtStatusToDosError,NtClose,HeapFree,RtlFreeUnicodeString,1_2_00000001401B8494
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401BC979 ZwQueryInformationFile,NtSetInformationFile,RtlNtStatusToDosError,1_2_00000001401BC979
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401C296F RtlDosPathNameToNtPathName_U,NtSetInformationFile,RtlNtStatusToDosError,ZwClose,1_2_00000001401C296F
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401BF96E ZwQueryInformationFile,RtlNtStatusToDosError,NtSetInformationFile,RtlNtStatusToDosError,1_2_00000001401BF96E
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401BFA90 ZwCreateSection,NtMapViewOfSection,RtlNtStatusToDosError,ZwClose,RtlNtStatusToDosError,NtUnmapViewOfSection,ZwMapViewOfSection,RtlNtStatusToDosError,ZwUnmapViewOfSection,NtClose,1_2_00000001401BFA90
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401B6AA9 NtCreateFile,RtlNtStatusToDosError,NtQueryDirectoryFile,RtlNtStatusToDosError,WaitForSingleObject,NtClose,RtlReleasePrivilege,1_2_00000001401B6AA9
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401BBADF NtWriteFile,RtlNtStatusToDosError,1_2_00000001401BBADF
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401C2B01 NtCreateFile,RtlNtStatusToDosError,RtlFreeUnicodeString,1_2_00000001401C2B01
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401BA75C RtlDosPathNameToNtPathName_U,GetFileAttributesW,SetFileAttributesW,RtlDosPathNameToNtPathName_U,RtlAllocateHeap,HeapFree,NtClose,SetFileAttributesW,1_2_00000001401BA75C
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_0000000140004DE4 lstrlenW,RtlAllocateHeap,PathFindFileNameW,lstrcpyW,ZwClose,lstrcpyW,HeapFree,1_2_0000000140004DE4
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_0000000140008FD8 RtlInitUnicodeString,RtlpNtOpenKey,RtlNtStatusToDosError,NtEnumerateKey,RtlNtStatusToDosError,NtClose,1_2_0000000140008FD8
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_000000014000293C ZwQueryVirtualMemory,HeapAlloc,ZwQueryVirtualMemory,RtlNtStatusToDosError,HeapFree,RtlNtStatusToDosError,1_2_000000014000293C
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401C0D0F lstrcatW,RtlDosPathNameToNtPathName_U,RtlDosPathNameToNtPathName_U,ZwClose,1_2_00000001401C0D0F
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401B8D30 EnterCriticalSection,HeapFree,LeaveCriticalSection,DeleteCriticalSection,ZwClose,1_2_00000001401B8D30
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401BB247 ZwCreateEvent,1_2_00000001401BB247
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001400082B0 PathCombineW,PathCombineW,HeapFree,StrTrimW,_wcslwr,_wcslwr,lstrcmpW,StrTrimW,lstrlenW,lstrlenW,HeapAlloc,_wcslwr,lstrcpyW,lstrcpyW,HeapFree,lstrcmpW,lstrcmpW,StrTrimW,StrTrimW,lstrcmpW,_snwprintf,_snwprintf,ZwClose,1_2_00000001400082B0
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401BD6E7 HeapAlloc,RtlDosPathNameToNtPathName_U,ZwSetInformationFile,RtlNtStatusToDosError,ZwClose,HeapFree,1_2_00000001401BD6E7
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401C0FD6 ZwQueryInformationFile,RtlNtStatusToDosError,1_2_00000001401C0FD6
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401BDDA10_2_00000001401BDDA1
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401B6AA90_2_00000001401B6AA9
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001400032D80_2_00000001400032D8
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401BA75C0_2_00000001401BA75C
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001400097540_2_0000000140009754
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0000000140006BC80_2_0000000140006BC8
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401BBFD50_2_00000001401BBFD5
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401B6AA91_2_00000001401B6AA9
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401BA75C1_2_00000001401BA75C
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401BDDA11_2_00000001401BDDA1
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001400032D81_2_00000001400032D8
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001400097541_2_0000000140009754
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_0000000140006BC81_2_0000000140006BC8
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreCode function: 1_2_00000001401BBFD51_2_00000001401BBFD5
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\TextNotepad\Unistore EA310CC4FD4E8669E014FF417286DA5EDF2D3BEF20ABFB0A4F4951AFE260D33D
      Source: Q1xEDBAmY5.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Unistore.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Q1xEDBAmY5.exe, 00000000.00000003.334294259.00000000004E4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassicStartMenu.exe< vs Q1xEDBAmY5.exe
      Source: Q1xEDBAmY5.exeBinary or memory string: OriginalFilenameClassicStartMenu.exe< vs Q1xEDBAmY5.exe
      Source: Q1xEDBAmY5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: Unistore.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.rans.evad.winEXE@17/191@0/0
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0000000140003734 GetDiskFreeSpaceExW,0_2_0000000140003734
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeFile created: C:\Users\user\AppData\Roaming\TextNotepadJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3528:120:WilError_01
      Source: Q1xEDBAmY5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Q1xEDBAmY5.exeMetadefender: Detection: 50%
      Source: Q1xEDBAmY5.exeReversingLabs: Detection: 82%
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeFile read: C:\Users\user\Desktop\Q1xEDBAmY5.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Q1xEDBAmY5.exe 'C:\Users\user\Desktop\Q1xEDBAmY5.exe'
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeProcess created: C:\Users\user\AppData\Roaming\TextNotepad\Unistore C:\Users\user\AppData\Roaming\TextNotepad\Unistore /go
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreProcess created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & del 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & rd 'C:\Users\user\AppData\Roaming\TextNotepad\'
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeProcess created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & del 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & rd 'C:\Users\user\Desktop\'
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore'
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe'
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeProcess created: C:\Users\user\AppData\Roaming\TextNotepad\Unistore C:\Users\user\AppData\Roaming\TextNotepad\Unistore /goJump to behavior
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeProcess created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & del 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' & rd 'C:\Users\user\Desktop\'Jump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreProcess created: C:\Windows\System32\cmd.exe cmd /c waitfor /t 10 pause /d y & attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & del 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' & rd 'C:\Users\user\AppData\Roaming\TextNotepad\'Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' Jump to behavior
      Source: Q1xEDBAmY5.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: Q1xEDBAmY5.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: Q1xEDBAmY5.exeStatic file information: File size 1915904 > 1048576
      Source: Q1xEDBAmY5.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1c9800

      Data Obfuscation:

      barindex
      Detected unpacking (changes PE section rights)Show sources
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeUnpacked PE file: 0.2.Q1xEDBAmY5.exe.140000000.2.unpack .text:ER;.rdata:R;.data:W;.pdata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.pdata:R;.bss:R;.obX0:ER;.rsrc:R;
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreUnpacked PE file: 1.2.Unistore.140000000.2.unpack .text:ER;.rdata:R;.data:W;.pdata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.pdata:R;.bss:R;.obX0:ER;.rsrc:R;
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeUnpacked PE file: 0.2.Q1xEDBAmY5.exe.140000000.2.unpack
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreUnpacked PE file: 1.2.Unistore.140000000.2.unpack
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_000000014000E00A push rdi; ret 0_2_000000014000E00B
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0000000140016CE6 push rcx; retf 0_2_0000000140016CF1
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401B8D30 push qword ptr [000000014000B0A0h]; ret 0_2_00000001401B8EA1
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_000000014001927A push rbp; iretd 0_2_000000014001928A
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001400AE6A0 push qword ptr [000000014000B328h]; ret 0_2_00000001400AE6A6
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0000000140017E9F push rdi; retf 0_2_0000000140017EAE
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_000000014009B6D7 push qword ptr [000000014000B330h]; ret 0_2_000000014009B6DD
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0000000140007BDD push rax; ret 0_2_0000000140007BE6
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_02103A1F push edx; ret 0_2_02103A22
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_02105A04 push FA262755h; retf 0_2_02105A0B
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_021062D4 push ecx; ret 0_2_021062FD
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_021052C6 push edx; iretd 0_2_021052D0
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_02102360 push ecx; ret 0_2_02102389
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0210238B push ecx; ret 0_2_02102389
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_02104BDE push ecx; ret 0_2_02104BE1
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_02108BFD push ecx; ret 0_2_02108C19
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0210600B push ecx; iretd 0_2_02106040
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0210502E push ecx; ret 0_2_02105045
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0210384E push ebp; ret 0_2_02103858
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_021050E2 push ebp; iretd 0_2_02105158
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_02107135 push 2E52FD49h; ret 0_2_02107153
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0210293E push edx; ret 0_2_02102985
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_02105123 push ebp; iretd 0_2_02105158
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_02105190 push ebp; iretd 0_2_02105158
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_021061AE push eax; retf 0_2_021061BB
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0210364E push 6879ACCAh; iretd 0_2_02103667
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_02109EA3 push es; retf 0_2_02109EA8
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0210876D push esi; ret 0_2_021087A7
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_02108791 push esi; ret 0_2_021087A7
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_02108F99 push ebx; ret 0_2_02108F9A
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_021047CD push 9D6EFE5Dh; ret 0_2_021047D3
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93629055935
      Source: initial sampleStatic PE information: section name: .text entropy: 7.93629055935

      Persistence and Installation Behavior:

      barindex
      Uses cmd line tools excessively to alter registry or file dataShow sources
      Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
      Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
      Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: attrib.exeJump to behavior
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeFile created: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreJump to dropped file
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeFile created: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreJump to dropped file
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\waitfor.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\waitfor.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\waitfor.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\waitfor.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeRDTSC instruction interceptor: First address: 0000000140174702 second address: 000000014017470C instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 pop edi 0x00000005 inc esp 0x00000006 xchg cl, ch 0x00000008 inc ecx 0x00000009 pop ebp 0x0000000a rdtsc
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreRDTSC instruction interceptor: First address: 000000014017A2D8 second address: 000000014017A2FE instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 inc ecx 0x00000004 pop ecx 0x00000005 inc eax 0x00000006 setnb ch 0x00000009 cmovo bp, di 0x0000000d dec ecx 0x0000000e movsx eax, bp 0x00000011 pop ecx 0x00000012 pop ebp 0x00000013 inc ecx 0x00000014 pop edx 0x00000015 lahf 0x00000016 pop ebx 0x00000017 inc ecx 0x00000018 mov bl, ACh 0x0000001a inc cx 0x0000001c movzx edx, dh 0x0000001f inc bp 0x00000021 cmovnle ebx, edx 0x00000024 inc ecx 0x00000025 pop ebx 0x00000026 rdtsc
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreRDTSC instruction interceptor: First address: 00000001401486B6 second address: 00000001401486BF instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 inc ecx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 lahf 0x00000007 inc ecx 0x00000008 pop ebx 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeRDTSC instruction interceptor: First address: 00000001401486B6 second address: 00000001401486BF instructions: 0x00000000 rdtsc 0x00000002 cdq 0x00000003 inc ecx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 lahf 0x00000007 inc ecx 0x00000008 pop ebx 0x00000009 rdtsc
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_000000014013B8F9 rdtsc 0_2_000000014013B8F9
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeAPI coverage: 9.9 %
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_00000001401B86FF GetLogicalDriveStringsW,HeapAlloc,GetLogicalDriveStringsW,lstrlenW,QueryDosDeviceW,lstrlenW,StrCmpNIW,HeapFree,0_2_00000001401B86FF
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_000000014013B8F9 rdtsc 0_2_000000014013B8F9
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\AppData\Roaming\TextNotepad\Unistore' Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\waitfor.exe waitfor /t 10 pause /d y Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -h 'C:\Users\user\Desktop\Q1xEDBAmY5.exe' Jump to behavior
      Source: C:\Users\user\Desktop\Q1xEDBAmY5.exeCode function: 0_2_0000000140007D62 GetVersion,lstrlenW,lstrlenW,HeapFree,HeapFree,0_2_0000000140007D62
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\Default\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\user\DocumentsJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\user\Documents\IPKGELNTQYJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\user\Documents\NIKHQAIQAUJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\user\Documents\PWCCAWLGREJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\user\Documents\WKXEWIOTXIJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\user\Documents\ZTGJILHXQBJump to behavior
      Source: C:\Users\user\AppData\Roaming\TextNotepad\UnistoreDirectory queried: C:\Users\Public\DocumentsJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter1Path InterceptionProcess Injection11Masquerading11OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection11LSASS MemoryFile and Directory Discovery11Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery14SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing22NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 377652 Sample: Q1xEDBAmY5 Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Found ransom note / readme 2->45 47 2 other signatures 2->47 8 Q1xEDBAmY5.exe 3 2->8         started        process3 file4 33 C:\Users\user\AppData\Roaming\...\Unistore, PE32+ 8->33 dropped 35 C:\Users\user\...\Unistore:Zone.Identifier, ASCII 8->35 dropped 51 Detected unpacking (changes PE section rights) 8->51 53 Detected unpacking (overwrites its own PE header) 8->53 55 Tries to detect virtualization through RDTSC time measurements 8->55 12 Unistore 35 8->12         started        16 cmd.exe 1 8->16         started        signatures5 process6 file7 37 C:\MSOCache\...\HOW-TO-DECRYPT-gn9cj.txt, Little-endian 12->37 dropped 39 C:\Users\user\Desktop\VAMYDFPUND.pdf.gn9cj, COM 12->39 dropped 57 Multi AV Scanner detection for dropped file 12->57 59 Detected unpacking (changes PE section rights) 12->59 61 Detected unpacking (overwrites its own PE header) 12->61 65 3 other signatures 12->65 18 cmd.exe 1 12->18         started        63 Uses cmd line tools excessively to alter registry or file data 16->63 21 conhost.exe 16->21         started        23 waitfor.exe 1 16->23         started        25 attrib.exe 1 16->25         started        signatures8 process9 signatures10 49 Uses cmd line tools excessively to alter registry or file data 18->49 27 conhost.exe 18->27         started        29 waitfor.exe 1 18->29         started        31 attrib.exe 1 18->31         started        process11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.