Play interactive tour

Edit tour

Analysis Report 9nZ3r5ZN45

Overview

General Information

Sample Name:	9nZ3r5ZN45 (renamed file extension from none to exe)
Analysis ID:	377823
MD5:	910fe72c4f1bd5a451561f732d94a8b8
SHA1:	a93ebdd16c5862b178d6e5c58d3e074df772a021
SHA256:	6beb4a5bcbdaf33f697eea6a4f7f2e9704cc88c20c265d0ce42287d930d06345
Infos:
Most interesting Screenshot:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to detect sleep reduction / modifications

Drops executables to the windows directory (C:\Windows) and starts them

Injects files into Windows application

Sigma detected: Executables Started in Suspicious Folder

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

File is packed with WinRar

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Starts Microsoft Word (often done to prevent that the user detects that something wrong)

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

9nZ3r5ZN45.exe (PID: 6004 cmdline: 'C:\Users\user\Desktop\9nZ3r5ZN45.exe' MD5: 910FE72C4F1BD5A451561F732D94A8B8)

LibHelper.exe (PID: 6076 cmdline: 'C:\Windows\Help\Windows\LibHelper.exe' MD5: 813B19969C3B67C6BB1369433142021A)

WINWORD.EXE (PID: 5572 cmdline: 'C:\Windows\Help\Windows\WINWORD.EXE' MD5: 15E52F52ED2B8ED122FAE897119687C4)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Help\Windows\wwlib.dll	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x53890:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0

Sigma Overview

System Summary:

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Help\Windows\LibHelper.exe' , CommandLine: 'C:\Windows\Help\Windows\LibHelper.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Help\Windows\LibHelper.exe, NewProcessName: C:\Windows\Help\Windows\LibHelper.exe, OriginalFileName: C:\Windows\Help\Windows\LibHelper.exe, ParentCommandLine: 'C:\Users\user\Desktop\9nZ3r5ZN45.exe' , ParentImage: C:\Users\user\Desktop\9nZ3r5ZN45.exe, ParentProcessId: 6004, ProcessCommandLine: 'C:\Windows\Help\Windows\LibHelper.exe' , ProcessId: 6076

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Windows\Help\Windows\wwlib.dll

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\Help\Windows\LibHelper.exe	ReversingLabs: Detection: 16%
Source: C:\Windows\Help\Windows\wwlib.dll	ReversingLabs: Detection: 16%

Multi AV Scanner detection for submitted file

Show sources

Source: 9nZ3r5ZN45.exe	Virustotal: Detection: 50%			Perma Link
Source: 9nZ3r5ZN45.exe	ReversingLabs: Detection: 25%

Source: 2.2.WINWORD.EXE.6d860000.3.unpack

Avira: Label: TR/Crypt.XPACK.Gen2

Source: 9nZ3r5ZN45.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Windows\Help\Windows\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll

Jump to behavior

Source: 9nZ3r5ZN45.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9nZ3r5ZN45.exe
Source:	Binary string: t:\word\x86\ship\0\winword.pdb6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, WINWORD.EXE.0.dr
Source:	Binary string: 6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr
Source:	Binary string: t:\word\x86\ship\0\winword.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083A383 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0083A383
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084B014 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0084B014
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0085A02E FindFirstFileExA,	0_2_0085A02E
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01075746 FindFirstFileExW,	1_2_01075746
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D868875 FindFirstFileExW,	2_2_6D868875
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03039CCD FindFirstFileExW,	2_2_03039CCD

Source: WINWORD.EXE, 00000002.00000002.462716320.0000000003030000.00000040.00000001.sdmp

String found in binary or memory: http://%s%08x.txtc:

Source: WINWORD.EXE, 00000002.00000002.462222699.000000000164A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_008370B9: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_008370B9

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File created: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File deleted: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_008462E0	0_2_008462E0
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00838458	0_2_00838458
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0085C100	0_2_0085C100
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00850113	0_2_00850113
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083320E	0_2_0083320E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084F3CA	0_2_0084F3CA
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00843446	0_2_00843446
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0085C5AE	0_2_0085C5AE
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083F5FB	0_2_0083F5FB
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083E546	0_2_0083E546
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00850548	0_2_00850548
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_008606A4	0_2_008606A4
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_008436C1	0_2_008436C1
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00846715	0_2_00846715
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083277D	0_2_0083277D
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084F8C6	0_2_0084F8C6
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083E9A9	0_2_0083E9A9
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_008439F2	0_2_008439F2
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00845911	0_2_00845911
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083DB11	0_2_0083DB11
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083BB6E	0_2_0083BB6E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084FCDE	0_2_0084FCDE
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00853D1A	0_2_00853D1A
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00846D4E	0_2_00846D4E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00835EAB	0_2_00835EAB
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00833FBD	0_2_00833FBD
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083DF48	0_2_0083DF48
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00853F49	0_2_00853F49
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_0107B4DD	1_2_0107B4DD
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D86E601	2_2_6D86E601
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03058BD0	2_2_03058BD0
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303F81C	2_2_0303F81C
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303C0D0	2_2_0303C0D0
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0306F631	2_2_0306F631
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303F6FC	2_2_0303F6FC
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303C568	2_2_0303C568
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_030415A0	2_2_030415A0
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03031406	2_2_03031406
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_030354BB	2_2_030354BB

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: String function: 0084E2F0 appears 31 times
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: String function: 0084D8C4 appears 38 times
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: String function: 0084D9C0 appears 51 times

Source: 9nZ3r5ZN45.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9nZ3r5ZN45.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WINWORD.EXE.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LibHelper.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 9nZ3r5ZN45.exe, 00000000.00000003.198404389.0000000000666000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewlib.dll2 vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203395406.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203395406.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.203238414.00000000049F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 9nZ3r5ZN45.exe
Source: 9nZ3r5ZN45.exe, 00000000.00000002.202920472.00000000026C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 9nZ3r5ZN45.exe

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: 9nZ3r5ZN45.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Windows\Help\Windows\wwlib.dll, type: DROPPED

Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-03-09

Source: classification engine

Classification label: mal80.evad.winEXE@5/3@0/0

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_00836E20 GetLastError,FormatMessageW,

0_2_00836E20

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: RegOpenKeyExA,RegGetValueA,RegSetValueExA,OpenSCManagerA,GetLastError,CloseHandle,FindCloseChangeNotification,CloseHandle,CreateServiceA,ChangeServiceConfig2A,RegOpenKeyExA,RegCreateKeyA,RegSetValueExA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0303107D

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_008496AD FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_008496AD

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_0303107D RegOpenKeyExA,RegGetValueA,RegSetValueExA,OpenSCManagerA,GetLastError,CloseHandle,FindCloseChangeNotification,CloseHandle,CreateServiceA,ChangeServiceConfig2A,RegOpenKeyExA,RegCreateKeyA,RegSetValueExA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

2_2_0303107D

Source: C:\Windows\Help\Windows\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\edgDDEA.tmp

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Command line argument: sfxname	0_2_0084CC0E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Command line argument: sfxstime	0_2_0084CC0E
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Command line argument: STARTDLG	0_2_0084CC0E
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: PcHelper	1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: PCHELPER	1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: @Cw	1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: PCHELPER	1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: PcHelper	1_2_010710A0
Source: C:\Windows\Help\Windows\LibHelper.exe	Command line argument: PCHELPER	1_2_010710A0
Source: C:\Windows\Help\Windows\WINWORD.EXE	Command line argument: wwlib.dll	2_2_2FF1159F
Source: C:\Windows\Help\Windows\WINWORD.EXE	Command line argument: FMain	2_2_2FF1159F

Source: 9nZ3r5ZN45.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9nZ3r5ZN45.exe	Virustotal: Detection: 50%
Source: 9nZ3r5ZN45.exe	ReversingLabs: Detection: 25%

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File read: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9nZ3r5ZN45.exe 'C:\Users\user\Desktop\9nZ3r5ZN45.exe'
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe'
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE'
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe'	Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE'	Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\Help\Windows\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll

Jump to behavior

Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9nZ3r5ZN45.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 9nZ3r5ZN45.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: 9nZ3r5ZN45.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 9nZ3r5ZN45.exe
Source:	Binary string: t:\word\x86\ship\0\winword.pdb6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, 00000002.00000002.462834723.000000002FF11000.00000020.00020000.sdmp, WINWORD.EXE.0.dr
Source:	Binary string: 6\ship\0\winword.exe\bbtopt\winwordO.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr
Source:	Binary string: t:\word\x86\ship\0\winword.pdb source: WINWORD.EXE, WINWORD.EXE.0.dr

Source: 9nZ3r5ZN45.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9nZ3r5ZN45.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9nZ3r5ZN45.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9nZ3r5ZN45.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9nZ3r5ZN45.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File created: C:\Windows\Help\Windows\__tmp_rar_sfx_access_check_5689109

Jump to behavior

Source: wwlib.dll.0.dr	Static PE information: section name: .detourc
Source: wwlib.dll.0.dr	Static PE information: section name: .detourd

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084E336 push ecx; ret	0_2_0084E349
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084D8C4 push eax; ret	0_2_0084D8E2
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01071F24 push ecx; ret	1_2_01071F36
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_2FF1153C push ecx; ret	2_2_2FF1154F
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D864F04 push ecx; ret	2_2_6D864F16
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0305931B push ecx; ret	2_2_03059319
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03032E74 push ecx; ret	2_2_03032E86

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Executable created and started: C:\Windows\Help\Windows\LibHelper.exe			Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Executable created and started: C:\Windows\Help\Windows\WINWORD.EXE			Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\wwlib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\LibHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\WINWORD.EXE	Jump to dropped file

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\wwlib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\LibHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	File created: C:\Windows\Help\Windows\WINWORD.EXE	Jump to dropped file

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\WINWORD.EXE
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\WINWORD.EXE			Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_6D861351

2_2_6D861351

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_03062842 rdtsc

2_2_03062842

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_6D861351

2_2_6D861351

Source: C:\Windows\Help\Windows\LibHelper.exe TID: 4660	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXE TID: 5560	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\Windows\Help\Windows\WINWORD.EXE TID: 5560	Thread sleep time: -111000s >= -30000s	Jump to behavior

Source: C:\Windows\Help\Windows\WINWORD.EXE	Last function: Thread delayed
Source: C:\Windows\Help\Windows\WINWORD.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0083A383 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0083A383
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084B014 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0084B014
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0085A02E FindFirstFileExA,	0_2_0085A02E
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01075746 FindFirstFileExW,	1_2_01075746
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D868875 FindFirstFileExW,	2_2_6D868875
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03039CCD FindFirstFileExW,	2_2_03039CCD

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0084D3A8 VirtualQuery,GetSystemInfo,

0_2_0084D3A8

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_03062842 rdtsc

2_2_03062842

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0084E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0084E4F5

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_2FF116C4 GetLastError,OutputDebugStringA,

2_2_2FF116C4

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00856B19 mov eax, dword ptr fs:[00000030h]	0_2_00856B19
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01075478 mov eax, dword ptr fs:[00000030h]	1_2_01075478
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01073CED mov eax, dword ptr fs:[00000030h]	1_2_01073CED
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D868442 mov eax, dword ptr fs:[00000030h]	2_2_6D868442
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D866F25 mov eax, dword ptr fs:[00000030h]	2_2_6D866F25
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03051188 mov eax, dword ptr fs:[00000030h]	2_2_03051188
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03069722 mov eax, dword ptr fs:[00000030h]	2_2_03069722
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03035F74 mov eax, dword ptr fs:[00000030h]	2_2_03035F74
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03067E15 mov eax, dword ptr fs:[00000030h]	2_2_03067E15
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_030696DE mov eax, dword ptr fs:[00000030h]	2_2_030696DE
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03052D21 mov eax, dword ptr fs:[00000030h]	2_2_03052D21
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303946E mov eax, dword ptr fs:[00000030h]	2_2_0303946E

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0085ACFC GetProcessHeap,

0_2_0085ACFC

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084E643 SetUnhandledExceptionFilter,	0_2_0084E643
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0084E4F5
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_0084E7FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0084E7FC
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Code function: 0_2_00857C57 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00857C57
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01071C8F SetUnhandledExceptionFilter,	1_2_01071C8F
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_010719D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_010719D8
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_010736EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_010736EF
Source: C:\Windows\Help\Windows\LibHelper.exe	Code function: 1_2_01071AF9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_01071AF9
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_2FF11B2C IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	2_2_2FF11B2C
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D86497A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6D86497A
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D8667F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6D8667F2
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_6D864A9B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6D864A9B
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03032289 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_03032289
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_0303760D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0303760D
Source: C:\Windows\Help\Windows\WINWORD.EXE	Code function: 2_2_03032CAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_03032CAF

HIPS / PFW / Operating System Protection Evasion:

Injects files into Windows application

Show sources

Source: C:\Windows\Help\Windows\WINWORD.EXE

Injected file: C:\Windows\Help\Windows\wwlib.dll was created by C:\Users\user\Desktop\9nZ3r5ZN45.exe

Jump to behavior

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\LibHelper.exe 'C:\Windows\Help\Windows\LibHelper.exe'			Jump to behavior
Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe	Process created: C:\Windows\Help\Windows\WINWORD.EXE 'C:\Windows\Help\Windows\WINWORD.EXE'			Jump to behavior

Source: C:\Windows\Help\Windows\WINWORD.EXE

Code function: 2_2_6D8611F0 GetCurrentThread,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateFileMappingA,MapViewOfFile,CreateThread,GetLastError,FindCloseChangeNotification,UnmapViewOfFile,

2_2_6D8611F0

Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: LibHelper.exe, 00000001.00000002.462552264.0000000001430000.00000002.00000001.sdmp, WINWORD.EXE, 00000002.00000002.462301547.0000000001940000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0084E34B cpuid

0_2_0084E34B

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00849E0C

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0084CC0E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

0_2_0084CC0E

Source: C:\Users\user\Desktop\9nZ3r5ZN45.exe

Code function: 0_2_0083AA39 GetVersionExW,

0_2_0083AA39

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Windows Service2	Windows Service2	Masquerading12	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Service Execution1	DLL Side-Loading1	Process Injection112	Virtualization/Sandbox Evasion2	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	DLL Side-Loading1	Process Injection112	Security Account Manager	Security Software Discovery26	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	System Information Discovery24	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 9nZ3r5ZN45

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Dropped Files

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails