Loading ...

Play interactive tourEdit tour

Analysis Report WDnE51mua6.exe

Overview

General Information

Sample Name:WDnE51mua6.exe
Analysis ID:383838
MD5:7e7012645cc3d6d3572bb01891fbcec1
SHA1:712fe21354098f3764f6e9cbe7b57dc67a65c478
SHA256:df116f3585f1fe4b00c351a2941f6b85565e1fcc6da5569c6f7c80ddd1b4e2a8
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Submitted sample is a known malware sample
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for sample
Obfuscated command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses nslookup.exe to query domains
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • WDnE51mua6.exe (PID: 3000 cmdline: 'C:\Users\user\Desktop\WDnE51mua6.exe' MD5: 7E7012645CC3D6D3572BB01891FBCEC1)
    • svchost.exe (PID: 5744 cmdline: 'C:\Windows\System32\svchost.exe' MD5: FA6C268A5B5BDA067A901764D203D433)
    • cmd.exe (PID: 3908 cmdline: 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5720 cmdline: CmD MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • findstr.exe (PID: 4808 cmdline: findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd MD5: 8B534A7FC0630DE41BB1F98C882C19EC)
        • Gia.exe.com (PID: 2904 cmdline: Gia.exe.com D MD5: 78BA0653A340BAC5FF152B21A83626CC)
          • Gia.exe.com (PID: 5596 cmdline: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D MD5: 78BA0653A340BAC5FF152B21A83626CC)
            • nslookup.exe (PID: 6348 cmdline: C:\Windows\SysWOW64\nslookup.exe MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
        • PING.EXE (PID: 5044 cmdline: ping 127.0.0.1 -n 30 MD5: 70C24A306F768936563ABDADB9CA9108)
  • wscript.exe (PID: 5868 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • juROhmfLml.exe.com (PID: 6204 cmdline: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\I MD5: 78BA0653A340BAC5FF152B21A83626CC)
    • nslookup.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\nslookup.exe MD5: 8E82529D1475D67615ADCB4E1B8F4EEC)
      • cmd.exe (PID: 5192 cmdline: cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6308 cmdline: cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 580 cmdline: wmic process get Name MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • cmd.exe (PID: 3624 cmdline: cmd /c makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • makecab.exe (PID: 5036 cmdline: makecab /V3 'C:\Users\user\AppData\Local\Temp\4624a8e10d6df3306e1dd46223b6b1968208dd49' 'C:\Users\user\AppData\Local\Temp\chr2302.tmp' MD5: D0D74264402D9F402615F22258330EC8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Drops script at startup locationShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juROhmfLml.url

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49rAvira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.phpAvira URL Cloud: Label: phishing
Source: https://banusdoret.top/kh=Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/8Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/hi0Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.phpmitAvira URL Cloud: Label: phishing
Source: https://banusdoret.top/upload/upload.phpp/hi0Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/#huAvira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/5hcAvira URL Cloud: Label: phishing
Source: https://banusdoret.top/ographyAvira URL Cloud: Label: phishing
Source: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZAvira URL Cloud: Label: phishing
Source: https://banusdoret.top/Avira URL Cloud: Label: phishing
Source: https://banusdoret.top/sFtAvira URL Cloud: Label: phishing
Source: https://banusdoret.top/DgAvira URL Cloud: Label: phishing
Source: https://banusdoret.top/VgAvira URL Cloud: Label: phishing
Source: https://banusdoret.top/oi9Avira URL Cloud: Label: phishing
Multi AV Scanner detection for submitted fileShow sources
Source: WDnE51mua6.exeVirustotal: Detection: 41%Perma Link
Source: WDnE51mua6.exeReversingLabs: Detection: 64%
Machine Learning detection for sampleShow sources
Source: WDnE51mua6.exeJoe Sandbox ML: detected
Source: WDnE51mua6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: unknownHTTPS traffic detected: 8.208.95.18:443 -> 192.168.2.6:49730 version: TLS 1.2
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_00409931 ??2@YAPAXI@Z,FindFirstFileW,FindClose,0_2_00409931
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_00404402 FindFirstFileW,FindClose,SetLastError,CompareFileTime,0_2_00404402
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_00403327 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00403327
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_00403442 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW,0_2_00403442
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comCode function: 6_2_0091E334 GetFileAttributesW,FindFirstFileW,FindClose,6_2_0091E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0028E334 GetFileAttributesW,FindFirstFileW,FindClose,12_2_0028E334
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0029A32C FindFirstFileW,Sleep,FindNextFileW,FindClose,12_2_0029A32C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_002965AE FindFirstFileW,FindNextFileW,FindClose,12_2_002965AE
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0025C6C2 FindFirstFileExW,12_2_0025C6C2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00297205 FindFirstFileW,FindClose,12_2_00297205
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_002972A6 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,12_2_002972A6
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0028D7CC FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0028D7CC
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0028DB0B FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0028DB0B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00299E43 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_00299E43
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00299F9E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_00299F9E

Networking:

barindex
Uses nslookup.exe to query domainsShow sources
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe Jump to behavior
Uses ping.exe to check the status of other devices and networksShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: Joe Sandbox ViewIP Address: 8.208.95.18 8.208.95.18
Source: Joe Sandbox ViewIP Address: 8.208.95.18 8.208.95.18
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0029D672 InternetReadFile,SetEvent,GetLastError,SetEvent,12_2_0029D672
Source: unknownDNS traffic detected: queries for: zjZFqZYoOtpryMyR.zjZFqZYoOtpryMyR
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: nslookup.exe, 00000010.00000003.514415275.0000000003B97000.00000004.00000001.sdmpString found in binary or memory: http://cps.root
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: nslookup.exe, 00000010.00000003.514235035.0000000003B7E000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DST#
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0-
Source: nslookup.exe, 00000010.00000003.582514052.0000000003BB4000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Gia.exe.com, 00000006.00000000.354716969.0000000000985000.00000002.00020000.sdmp, Gia.exe.com, 00000007.00000002.502867230.0000000000985000.00000002.00020000.sdmp, juROhmfLml.exe.com, 0000000C.00000002.529162484.00000000002F5000.00000002.00020000.sdmp, Gia.exe.com.5.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmp, nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmpString found in binary or memory: https://banusdoret.top/
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmpString found in binary or memory: https://banusdoret.top/#hu
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmpString found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmpString found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd491
Source: nslookup.exe, 00000010.00000002.591717257.0000000003B30000.00000004.00000020.sdmpString found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49lcanoconiosispZ
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmpString found in binary or memory: https://banusdoret.top/4624a8e10d6df3306e1dd46223b6b1968208dd49r
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmpString found in binary or memory: https://banusdoret.top/5hc
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmpString found in binary or memory: https://banusdoret.top/8
Source: nslookup.exe, 00000010.00000003.584413680.0000000003BE2000.00000004.00000001.sdmpString found in binary or memory: https://banusdoret.top/Dg
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmpString found in binary or memory: https://banusdoret.top/Vg
Source: nslookup.exe, 00000010.00000003.536247326.0000000003BE2000.00000004.00000001.sdmpString found in binary or memory: https://banusdoret.top/hi0
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmpString found in binary or memory: https://banusdoret.top/kh=
Source: nslookup.exe, 00000010.00000002.591956638.0000000003B7E000.00000004.00000020.sdmpString found in binary or memory: https://banusdoret.top/ography
Source: nslookup.exe, 00000010.00000003.544012619.0000000003BE2000.00000004.00000001.sdmpString found in binary or memory: https://banusdoret.top/oi9
Source: nslookup.exe, 00000010.00000002.591863693.0000000003B64000.00000004.00000020.sdmpString found in binary or memory: https://banusdoret.top/sFt
Source: nslookup.exe, 00000010.00000002.591747509.0000000003B37000.00000004.00000020.sdmpString found in binary or memory: https://banusdoret.top/upload/upload.php
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmpString found in binary or memory: https://banusdoret.top/upload/upload.phpmit
Source: nslookup.exe, 00000010.00000003.532175709.0000000003BE2000.00000004.00000001.sdmpString found in binary or memory: https://banusdoret.top/upload/upload.phpp/hi0
Source: nslookup.exe, 00000010.00000003.567033832.0000000003BE2000.00000004.00000001.sdmpString found in binary or memory: https://banusdoret.topctionSettings
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Gia.exe.com.5.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: Gia.exe.com, 00000007.00000003.481000705.0000000003800000.00000004.00000001.sdmp, Gia.exe.com.5.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownHTTPS traffic detected: 8.208.95.18:443 -> 192.168.2.6:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to register a low level keyboard hookShow sources
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_00408D9C SetWindowsHookExW 00000002,Function_00008D6E,00000000,000000000_2_00408D9C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0029F345 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,12_2_0029F345
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0029F345 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,12_2_0029F345
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comCode function: 6_2_008B1976 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,6_2_008B1976
Source: WDnE51mua6.exe, 00000000.00000002.486248274.00000000007DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_002B9B7E DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,12_2_002B9B7E

System Summary:

barindex
Submitted sample is a known malware sampleShow sources
Source: C:\Windows\SysWOW64\cmd.exeDropped file: MD5: ac6ad5d9b99757c3a878f2d275ace198 Family: APT37 Alias: Reaper group, Geumseong121, Group 123, Scarcruft, APT-S-008, Red Eyes, TEMP.Reaper, Ricochet Chollima, sun team, APT37 Description: APT37 is a suspected North Korean cyber espionage group that has been in operation since at least 2012. Their targets are primarily located in South Korea, but also Japan, Vietnam, Russia, China, India, and some of the countries in the Middle East. A wider range of industries are affected, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities References: https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf https://securelist.com/operation-daybreak/75100/https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00294635: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,12_2_00294635
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00281A7B LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,12_2_00281A7B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0028F0CD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,12_2_0028F0CD
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_004060240_2_00406024
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0041C8730_2_0041C873
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0041A8360_2_0041A836
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0040B1400_2_0040B140
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_004171F60_2_004171F6
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0040B9A00_2_0040B9A0
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0040AAA00_2_0040AAA0
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0040B3500_2_0040B350
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0040A3F00_2_0040A3F0
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0041543A0_2_0041543A
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0040C4E00_2_0040C4E0
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0041C5010_2_0041C501
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0041BD000_2_0041BD00
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0041C5DB0_2_0041C5DB
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0040A5B00_2_0040A5B0
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_004107400_2_00410740
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_004057290_2_00405729
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_0040FFD80_2_0040FFD8
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comCode function: 6_2_008D80C76_2_008D80C7
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comCode function: 6_2_008EE9206_2_008EE920
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comCode function: 6_2_008E6B8B6_2_008E6B8B
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comCode function: 6_2_008DCEC06_2_008DCEC0
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comCode function: 6_2_008DE6006_2_008DE600
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comCode function: 6_2_008D7E6A6_2_008D7E6A
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comCode function: 6_2_008D17B46_2_008D17B4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0024209712_2_00242097
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_002480C712_2_002480C7
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_002221FD12_2_002221FD
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0025A30E12_2_0025A30E
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0024235212_2_00242352
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0023C45C12_2_0023C45C
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_002AC5C412_2_002AC5C4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_002928D712_2_002928D7
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0025E92012_2_0025E920
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00288AB412_2_00288AB4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0023CBB212_2_0023CBB2
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00256B8B12_2_00256B8B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0024CEC012_2_0024CEC0
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_002B4F4F12_2_002B4F4F
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0022D00012_2_0022D000
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_002571F912_2_002571F9
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0022954012_2_00229540
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_002417B412_2_002417B4
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00229A2012_2_00229A20
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00241B2612_2_00241B26
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00247C3B12_2_00247C3B
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00241DD012_2_00241DD0
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00247E6A12_2_00247E6A
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00229E8012_2_00229E80
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_0023DF7812_2_0023DF78
Source: C:\Windows\SysWOW64\nslookup.exeCode function: 16_3_03B97C2C16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exeCode function: 16_3_03B97C2C16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exeCode function: 16_3_03B97C2C16_3_03B97C2C
Source: C:\Windows\SysWOW64\nslookup.exeCode function: 16_3_03B97C2C16_3_03B97C2C
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com 05D8CF394190F3A707ABFB25FB44D7DA9D5F533D7D2063B23C00CC11253C8BE7
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: String function: 00240E50 appears 46 times
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: String function: 0023FE52 appears 39 times
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: String function: 00404F59 appears 41 times
Source: juROhmfLml.exe.com.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: juROhmfLml.exe.com.7.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WDnE51mua6.exe, 00000000.00000002.489362010.0000000002B50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.489362010.0000000002B50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.485886366.0000000000427000.00000002.00020000.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs WDnE51mua6.exe
Source: WDnE51mua6.exe, 00000000.00000002.488920190.0000000002A50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs WDnE51mua6.exe
Source: WDnE51mua6.exeBinary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs WDnE51mua6.exe
Source: WDnE51mua6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@35/26@3/3
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_00409684 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_00409684
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00281939 AdjustTokenPrivileges,CloseHandle,12_2_00281939
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_00281F3D LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,12_2_00281F3D
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_004023DF GetDiskFreeSpaceExW,SendMessageW,0_2_004023DF
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comCode function: 12_2_002AADEE CreateToolhelp32Snapshot,Process32FirstW,CompareStringW,Process32NextW,CloseHandle,12_2_002AADEE
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_00409332 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,0_2_00409332
Source: C:\Users\user\Desktop\WDnE51mua6.exeCode function: 0_2_00403908 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,GetProcAddress,GetProcAddress,wsprintfW,GetProcAddress,0_2_00403908
Source: C:\Users\user\Desktop\WDnE51mua6.exeFile created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKgJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4188:120:WilError_01
Source: C:\Windows\SysWOW64\nslookup.exeFile created: C:\Users\user\AppData\Local\Temp\chrB32.tmpJump to behavior
Source: WDnE51mua6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\WDnE51mua6.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\WDnE51mua6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: WDnE51mua6.exeVirustotal: Detection: 41%
Source: WDnE51mua6.exeReversingLabs: Detection: 64%
Source: C:\Users\user\Desktop\WDnE51mua6.exeFile read: C:\Users\user\Desktop\WDnE51mua6.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\WDnE51mua6.exe 'C:\Users\user\Desktop\WDnE51mua6.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exeProcess created: C:\Windows\SysWOW64\svchost.exe 'C:\Windows\System32\svchost.exe'
Source: C:\Users\user\Desktop\WDnE51mua6.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c CmD < Poi.vsd
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe CmD
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^nZwSZJdQSZwKBWJCtpbfZHNwzsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDkGqaSrgKXZxBgABegmS$' Che.vsd
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com Gia.exe.com D
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comProcess created: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.com D
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 30
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\zPgFqFUsML\wAYZqHgYEOdcYU.js'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.com C:\Users\user\AppData\Roaming\zPgFqFUsML\I
Source: C:\Users\user\AppData\Roaming\QhXpJEISYfDvrPPKg\Gia.exe.comProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Users\user\AppData\Roaming\zPgFqFUsML\juROhmfLml.exe.comProcess created: C:\Windows\SysWOW64\nslookup.exe C:\Windows\SysWOW64\nslookup.exe
Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C ver > 'C:\Users\user\AppData\Local\Temp\chrCF8.tmp'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\nslookup.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C wmic process get Name > 'C:\Users\user\AppData\Local\Temp\chr1073.tmp'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows