Play interactive tour

Edit tour

Analysis Report WDnE51mua6.exe

Overview

General Information

Sample Name:	WDnE51mua6.exe
Analysis ID:	383838
MD5:	7e7012645cc3d6d3572bb01891fbcec1
SHA1:	712fe21354098f3764f6e9cbe7b57dc67a65c478
SHA256:	df116f3585f1fe4b00c351a2941f6b85565e1fcc6da5569c6f7c80ddd1b4e2a8
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Submitted sample is a known malware sample

Contains functionality to register a low level keyboard hook

Creates processes via WMI

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Machine Learning detection for sample

Obfuscated command line found

Tries to harvest and steal browser information (history, passwords, etc)

Uses nslookup.exe to query domains

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

WDnE51mua6.exe (PID: 3000 cmdline: 'C:\Users\user\Desktop\WDnE51mua6.exe' MD5: 7E7012645CC3D6D3572BB01891FBCEC1)

svchost.exe (PID: 5744 cmdline: 'C:\Windows\System32\svchost.exe' MD5: FA6C268A5B5BDA067A901764D203D433)

cmd.exe (PID: 3908 cmdline: 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5720 cmdline: CmD MD5: F3BDBE3BB6F734E357235F4D5898582D)

findstr.exe (PID: 4808 cmdline: findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd MD5: 8B534A7FC0630DE41BB1F98C882C19EC)

Gia.exe.com (PID: 2904 cmdline: Gia.exe.com D MD5: 78BA0653A340BAC5FF152B21A83626CC)

Gia.exe.com (PID: 5596 cmdline: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D MD5: 78BA0653A340BAC5FF152B21A83626CC)

nslookup.exe (PID: 6348 cmdline: C:\Windows\SysWOW64\nslookup.exe MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

PING.EXE (PID: 5044 cmdline: ping 127.0.0.1 -n 30 MD5: 70C24A306F768936563ABDADB9CA9108)

wscript.exe (PID: 5868 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

juROhmfLml.exe.com (PID: 6204 cmdline: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\I MD5: 78BA0653A340BAC5FF152B21A83626CC)

nslookup.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\nslookup.exe MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)

cmd.exe (PID: 5192 cmdline: cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6308 cmdline: cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 580 cmdline: wmic process get Name MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)

cmd.exe (PID: 3624 cmdline: cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

makecab.exe (PID: 5036 cmdline: makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' MD5: D0D74264402D9F402615F22258330EC8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Drops script at startup location

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.php	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/kh=	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/8	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/hi0	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.phpmit	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.phpp/hi0	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/#hu	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/5hc	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/ography	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/sFt	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/Dg	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/Vg	Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/oi9	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for submitted file

Show sources

Source: WDnE51mua6.exe	Virustotal: Detection: 41%			Perma Link
Source: WDnE51mua6.exe	ReversingLabs: Detection: 64%

Machine Learning detection for sample

Show sources

Source: WDnE51mua6.exe

Joe Sandbox ML: detected

Source: WDnE51mua6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 8.208.95.18:443 -> 192.168.2.6:49730 version: TLS 1.2

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00409931 ??2@YAPAXI@Z,FindFirstFileW,FindClose,	0_2_00409931
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00404402 FindFirstFileW,FindClose,SetLastError,CompareFileTime,	0_2_00404402
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403327 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00403327
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00403442 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,	0_2_00403442
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_0091E334 GetFileAttributesW,FindFirstFileW,FindClose,	6_2_0091E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028E334 GetFileAttributesW,FindFirstFileW,FindClose,	12_2_0028E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0029A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_0029A32C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002965AE FindFirstFileW,FindNextFileW,FindClose,	12_2_002965AE
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025C6C2 FindFirstFileExW,	12_2_0025C6C2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00297205 FindFirstFileW,FindClose,	12_2_00297205
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002972A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	12_2_002972A6
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0028D7CC
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0028DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_0028DB0B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00299E43
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00299F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00299F9E

Networking:

Uses nslookup.exe to query domains

Show sources

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe	Jump to behavior

Uses ping.exe to check the status of other devices and networks

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30

Source: Joe Sandbox View	IP Address: 8.208.95.18 8.208.95.18
Source: Joe Sandbox View	IP Address: 8.208.95.18 8.208.95.18

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0029D672 InternetReadFile,SetEvent,GetLastError,SetEvent,

12_2_0029D672

Source: unknown

DNS traffic detected: queries for: zjZFqZYoOtpryMyR.zjZFqZYoOtpryMyR

Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: nslookup.exe, 00000010.00000003.514415275.0000000003B97000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: nslookup.exe, 00000010.00000003.514235035.0000000003B7E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DST#
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0-
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Gia.exe.com, 00000006.00000000.354716969.0000000000985000.00000002.00020000.sdmp, Gia.exe.com, 00000007.00000002.502867230.0000000000985000.00000002.00020000.sdmp, juROhmfLml.exe.com, 0000000C.00000002.529162484.00000000002F5000.00000002.00020000.sdmp, Gia.exe.com.5.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp, nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/#hu
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491
Source: nslookup.exe, 00000010.00000002.591717257.0000000003B30000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/5hc
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/8
Source: nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/Dg
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/Vg
Source: nslookup.exe, 00000010.00000003.536247326.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/hi0
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/kh=
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/ography
Source: nslookup.exe, 00000010.00000003.544012619.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/oi9
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/sFt
Source: nslookup.exe, 00000010.00000002.591747509.0000000003B37000.00000004.00000020.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.php
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.phpmit
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.top/upload/upload.phpp/hi0
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp	String found in binary or memory: https://banusdoret.topctionSettings
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Gia.exe.com.5.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 8.208.95.18:443 -> 192.168.2.6:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00408D9C SetWindowsHookExW 00000002,Function_00008D6E,00000000,00000000

0_2_00408D9C

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0029F345 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

12_2_0029F345

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

12_2_0029F345

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com

Code function: 6_2_008B1976 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

6_2_008B1976

Source: WDnE51mua6.exe, 00000000.00000002.486248274.00000000007DA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_002B9B7E DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

12_2_002B9B7E

System Summary:

Submitted sample is a known malware sample

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Dropped file: MD5: ac6ad5d9b99757c3a878f2d275ace198 Family: APT37 Alias: Reaper group, Geumseong121, Group 123, Scarcruft, APT-S-008, Red Eyes, TEMP.Reaper, Ricochet Chollima, sun team, APT37 Description: APT37 is a suspected North Korean cyber espionage group that has been in operation since at least 2012. Their targets are primarily located in South Korea, but also Japan, Vietnam, Russia, China, India, and some of the countries in the Middle East. A wider range of industries are affected, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities References: https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf https://securelist.com/operation-daybreak/75100/https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_00294635: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

12_2_00294635

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_00281A7B LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

12_2_00281A7B

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_0028F0CD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

12_2_0028F0CD

Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00406024	0_2_00406024
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C873	0_2_0041C873
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041A836	0_2_0041A836
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B140	0_2_0040B140
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_004171F6	0_2_004171F6
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B9A0	0_2_0040B9A0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040AAA0	0_2_0040AAA0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040B350	0_2_0040B350
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040A3F0	0_2_0040A3F0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041543A	0_2_0041543A
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040C4E0	0_2_0040C4E0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C501	0_2_0041C501
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041BD00	0_2_0041BD00
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0041C5DB	0_2_0041C5DB
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040A5B0	0_2_0040A5B0
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00410740	0_2_00410740
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_00405729	0_2_00405729
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: 0_2_0040FFD8	0_2_0040FFD8
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D80C7	6_2_008D80C7
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008EE920	6_2_008EE920
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008E6B8B	6_2_008E6B8B
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008DCEC0	6_2_008DCEC0
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008DE600	6_2_008DE600
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D7E6A	6_2_008D7E6A
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Code function: 6_2_008D17B4	6_2_008D17B4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00242097	12_2_00242097
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002480C7	12_2_002480C7
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002221FD	12_2_002221FD
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025A30E	12_2_0025A30E
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00242352	12_2_00242352
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023C45C	12_2_0023C45C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002AC5C4	12_2_002AC5C4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002928D7	12_2_002928D7
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0025E920	12_2_0025E920
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00288AB4	12_2_00288AB4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023CBB2	12_2_0023CBB2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00256B8B	12_2_00256B8B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0024CEC0	12_2_0024CEC0
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002B4F4F	12_2_002B4F4F
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0022D000	12_2_0022D000
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002571F9	12_2_002571F9
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229540	12_2_00229540
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_002417B4	12_2_002417B4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229A20	12_2_00229A20
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00241B26	12_2_00241B26
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00247C3B	12_2_00247C3B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00241DD0	12_2_00241DD0
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00247E6A	12_2_00247E6A
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00229E80	12_2_00229E80
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_0023DF78	12_2_0023DF78
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exe	Code function: 16_3_03B97C2C	16_3_03B97C2C

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com 05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: String function: 00240E50 appears 46 times
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: String function: 0023FE52 appears 39 times
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Code function: String function: 00404F59 appears 41 times

Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: WDnE51mua6.exe, 00000000.00000002.489362010.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.489362010.0000000002B50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.485886366.0000000000427000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.488920190.0000000002A50000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs WDnE51mua6.exe
Source: WDnE51mua6.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs WDnE51mua6.exe

Source: WDnE51mua6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@35/26@3/3

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00409684 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00409684

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00281939 AdjustTokenPrivileges,CloseHandle,		12_2_00281939
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Code function: 12_2_00281F3D LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		12_2_00281F3D

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_004023DF GetDiskFreeSpaceExW,SendMessageW,

0_2_004023DF

Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com

Code function: 12_2_002AADEE CreateToolhelp32Snapshot,Process32FirstW,CompareStringW,Process32NextW,CloseHandle,

12_2_002AADEE

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00409332 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,

0_2_00409332

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Code function: 0_2_00403908 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetProcAddress,GetProcAddress,wsprintfW,GetProcAddress,

0_2_00403908

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_01

Source: C:\Windows\SysWOW64\nslookup.exe

File created: C:\Users\user\AppData\Local\Temp\chrB32.tmp

Jump to behavior

Source: WDnE51mua6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\WDnE51mua6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: WDnE51mua6.exe	Virustotal: Detection: 41%
Source: WDnE51mua6.exe	ReversingLabs: Detection: 64%

Source: C:\Users\user\Desktop\WDnE51mua6.exe

File read: C:\Users\user\Desktop\WDnE51mua6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WDnE51mua6.exe 'C:\Users\user\Desktop\WDnE51mua6.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe CmD
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\I
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com	Process created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\nslookup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report WDnE51mua6.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary: