Loading ...

Play interactive tourEdit tour

Analysis Report vbc.exe.vir

Overview

General Information

Sample Name:vbc.exe.vir (renamed file extension from vir to exe)
Analysis ID:430813
MD5:788016c9072423914b96f0d15a61812d
SHA1:040f85b4ef512bb74990becfa1a5029f92eb65c7
SHA256:df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • vbc.exe.exe (PID: 3564 cmdline: 'C:\Users\user\Desktop\vbc.exe.exe' MD5: 788016C9072423914B96F0D15A61812D)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bara-seck.com/bin_YIuwAXdc211.bin, https://wizumiya.co.jp/html/user_data/"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
vbc.exe.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1277517703.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000000.00000000.194728526.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.vbc.exe.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          0.2.vbc.exe.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: vbc.exe.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_YIuwAXdc211.bin, https://wizumiya.co.jp/html/user_data/"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: vbc.exe.exeVirustotal: Detection: 13%Perma Link
            Source: vbc.exe.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://bara-seck.com/bin_YIuwAXdc211.bin, https://wizumiya.co.jp/html/user_data/
            Source: vbc.exe.exe, 00000000.00000002.1278845441.000000000079A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B699A NtAllocateVirtualMemory,0_2_022B699A
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B6A34 NtAllocateVirtualMemory,0_2_022B6A34
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B6A99 NtAllocateVirtualMemory,0_2_022B6A99
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B6AD4 NtAllocateVirtualMemory,0_2_022B6AD4
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B6B59 NtAllocateVirtualMemory,0_2_022B6B59
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B6BCC NtAllocateVirtualMemory,0_2_022B6BCC
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B6C02 NtAllocateVirtualMemory,0_2_022B6C02
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B69AE NtAllocateVirtualMemory,0_2_022B69AE
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B69E4 NtAllocateVirtualMemory,0_2_022B69E4
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004056070_2_00405607
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004032F50_2_004032F5
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B699A0_2_022B699A
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B56270_2_022B5627
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B6A340_2_022B6A34
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B32090_2_022B3209
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BB6080_2_022BB608
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA6140_2_022BA614
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B5A680_2_022B5A68
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B3A620_2_022B3A62
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B52780_2_022B5278
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B32490_2_022B3249
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BB6500_2_022BB650
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA6A00_2_022BA6A0
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B56880_2_022B5688
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BB69C0_2_022BB69C
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B92EF0_2_022B92EF
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B3AF80_2_022B3AF8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B4EF20_2_022B4EF2
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA6F00_2_022BA6F0
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA2D80_2_022BA2D8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B2F270_2_022B2F27
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B5B080_2_022B5B08
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B53020_2_022B5302
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B33000_2_022B3300
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B4F1C0_2_022B4F1C
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B57120_2_022B5712
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B97680_2_022B9768
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA76C0_2_022BA76C
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B5B580_2_022B5B58
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B33AC0_2_022B33AC
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B57A50_2_022B57A5
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B43B80_2_022B43B8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B4F980_2_022B4F98
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B53940_2_022B5394
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B5BE70_2_022B5BE7
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BB3F80_2_022BB3F8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA7C70_2_022BA7C7
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B582E0_2_022B582E
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B44040_2_022B4404
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B50040_2_022B5004
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B54180_2_022B5418
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BB4100_2_022BB410
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA8140_2_022BA814
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B50690_2_022B5069
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B54660_2_022B5466
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BB45D0_2_022BB45D
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B245C0_2_022B245C
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B24520_2_022B2452
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B44540_2_022B4454
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B58B80_2_022B58B8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B44B20_2_022B44B2
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B5C990_2_022B5C99
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BB4930_2_022BB493
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA8900_2_022BA890
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B38950_2_022B3895
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BB4E00_2_022BB4E0
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B50F80_2_022B50F8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B38FC0_2_022B38FC
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B54FC0_2_022B54FC
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA4F10_2_022BA4F1
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B24C70_2_022B24C7
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B593E0_2_022B593E
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B49100_2_022B4910
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B55780_2_022B5578
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B45440_2_022B4544
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B69AE0_2_022B69AE
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B39A00_2_022B39A0
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B31890_2_022B3189
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B49880_2_022B4988
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BB5880_2_022BB588
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B51810_2_022B5181
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA5800_2_022BA580
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B99840_2_022B9984
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B39E80_2_022B39E8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B69E40_2_022B69E4
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B51FA0_2_022B51FA
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA5C80_2_022BA5C8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B59CF0_2_022B59CF
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BB5CC0_2_022BB5CC
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B45D10_2_022B45D1
            Source: vbc.exe.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: vbc.exe.exe, 00000000.00000002.1277664800.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSuperintellectually.exe vs vbc.exe.exe
            Source: vbc.exe.exeBinary or memory string: OriginalFilenameSuperintellectually.exe vs vbc.exe.exe
            Source: vbc.exe.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal88.rans.troj.evad.winEXE@1/0@0/0
            Source: vbc.exe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\vbc.exe.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: vbc.exe.exeVirustotal: Detection: 13%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: vbc.exe.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000002.1277517703.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.194728526.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.0.vbc.exe.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.vbc.exe.exe.400000.0.unpack, type: UNPACKEDPE
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00403112 push dword ptr [ebp-44h]; ret 0_2_0041ECC4
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B4A3C push AFBDCFF2h; iretd 0_2_022B4A2E
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B7F05 push edx; ret 0_2_022B7F12
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B2B1B push ebp; retf 0_2_022B2B0A
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA965 push eax; ret 0_2_022BA956
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BBB2B 0_2_022BBB2B
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BBB26 0_2_022BBB26
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B3895 0_2_022B3895
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\vbc.exe.exeRDTSC instruction interceptor: First address: 00000000022B9BBF second address: 00000000022B9BBF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4A1014F8h 0x00000007 xor eax, 91CBACF6h 0x0000000c xor eax, 7F9DE2BDh 0x00000011 xor eax, A4465AB2h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F8D1C47F904h 0x0000001e lfence 0x00000021 mov edx, C49425E1h 0x00000026 xor edx, 40636495h 0x0000002c sub edx, D2D01692h 0x00000032 xor edx, CDD92AF6h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007F8D1C47F8F6h 0x0000003f test al, bl 0x00000041 cmp al, E3h 0x00000043 jmp 00007F8D1C47F8F6h 0x00000045 cmp ch, 0000006Dh 0x00000048 cmp bh, ah 0x0000004a ret 0x0000004b sub edx, esi 0x0000004d ret 0x0000004e add edi, edx 0x00000050 dec dword ptr [ebp+000000F8h] 0x00000056 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005d jne 00007F8D1C47F874h 0x0000005f jmp 00007F8D1C47F8F6h 0x00000061 test ah, ch 0x00000063 call 00007F8D1C47F8E6h 0x00000068 call 00007F8D1C47F925h 0x0000006d lfence 0x00000070 mov edx, C49425E1h 0x00000075 xor edx, 40636495h 0x0000007b sub edx, D2D01692h 0x00000081 xor edx, CDD92AF6h 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c jmp 00007F8D1C47F8F6h 0x0000008e test al, bl 0x00000090 cmp al, E3h 0x00000092 jmp 00007F8D1C47F8F6h 0x00000094 cmp ch, 0000006Dh 0x00000097 cmp bh, ah 0x00000099 ret 0x0000009a mov esi, edx 0x0000009c pushad 0x0000009d rdtsc
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B3209 rdtsc 0_2_022B3209
            Source: C:\Users\user\Desktop\vbc.exe.exeAPI coverage: 7.0 %
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess Stats: CPU usage > 90% for more than 60s
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B3209 rdtsc 0_2_022B3209
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA614 mov eax, dword ptr fs:[00000030h]0_2_022BA614
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B43B8 mov eax, dword ptr fs:[00000030h]0_2_022B43B8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B3FB8 mov eax, dword ptr fs:[00000030h]0_2_022B3FB8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B642D mov eax, dword ptr fs:[00000030h]0_2_022B642D
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B4404 mov eax, dword ptr fs:[00000030h]0_2_022B4404
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B9840 mov eax, dword ptr fs:[00000030h]0_2_022B9840
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B4454 mov eax, dword ptr fs:[00000030h]0_2_022B4454
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B3895 mov eax, dword ptr fs:[00000030h]0_2_022B3895
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA4F1 mov eax, dword ptr fs:[00000030h]0_2_022BA4F1
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022B8D1F mov eax, dword ptr fs:[00000030h]0_2_022B8D1F
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA580 mov eax, dword ptr fs:[00000030h]0_2_022BA580
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BA5C8 mov eax, dword ptr fs:[00000030h]0_2_022BA5C8
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: vbc.exe.exe, 00000000.00000002.1279108448.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: vbc.exe.exe, 00000000.00000002.1279108448.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: vbc.exe.exe, 00000000.00000002.1279108448.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: vbc.exe.exe, 00000000.00000002.1279108448.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_022BBB2B cpuid 0_2_022BBB2B

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery31Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery211Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.