Windows Analysis Report US1pwXib6h.exe

AV Detection:

Found malware configuration

Source: 4.2.ioldfli.exe.24e0000.2.raw.unpack

Malware Configuration Extractor: NetWire {"C2 list": ["netno.ddns.net:6577", "ddns.dbcdubai.com:6577", "netsecond.duckdns.org:6577"], "Password": "Trinidado1@", "Host ID": "OJ", "Mutex": "oCTboYgC", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "%AppData%\\Logs\\"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: US1pwXib6h.exe	Virustotal: Detection: 15%			Perma Link
Source: US1pwXib6h.exe	ReversingLabs: Detection: 26%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: US1pwXib6h.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.1.ioldfli.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 2.2.US1pwXib6h.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 2.1.US1pwXib6h.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 9.2.ioldfli.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 6.2.ioldfli.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen
Source: 1.2.US1pwXib6h.exe.99d0000.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.1.ioldfli.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,GetMenuState,LocalFree,		2_2_0040C4B7
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040E511 CryptUnprotectData,LocalFree,		2_2_0040E511
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp,		2_2_0040EDD6
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		2_2_0040D290
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,GetMenuState,LocalFree,		2_1_0040C4B7
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040E511 CryptUnprotectData,LocalFree,		2_1_0040E511
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp,		2_1_0040EDD6
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		2_1_0040D290
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,		6_2_0040C4B7
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040E511 CryptUnprotectData,LocalFree,		6_2_0040E511
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp,		6_2_0040EDD6
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		6_2_0040D290
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,		6_1_0040C4B7
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040E511 CryptUnprotectData,LocalFree,		6_1_0040E511
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp,		6_1_0040EDD6
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		6_1_0040D290
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040C4B7 RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegCloseKey,RegCloseKey,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,		9_2_0040C4B7
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040E511 CryptUnprotectData,LocalFree,		9_2_0040E511
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040EDD6 fopen,malloc,fclose,fread,fclose,CryptUnprotectData,sprintf,strcmp,strcmp,		9_2_0040EDD6
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040D290 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		9_2_0040D290

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Unpacked PE file: 2.2.US1pwXib6h.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Unpacked PE file: 6.2.ioldfli.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Unpacked PE file: 9.2.ioldfli.exe.400000.0.unpack

Uses 32bit PE files

Source: US1pwXib6h.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: US1pwXib6h.exe, 00000001.00000003.363846894.0000000009C40000.00000004.00000001.sdmp, ioldfli.exe, 00000004.00000003.385574206.0000000009A10000.00000004.00000001.sdmp, ioldfli.exe, 00000007.00000003.404915131.0000000009A20000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: US1pwXib6h.exe, 00000001.00000003.363846894.0000000009C40000.00000004.00000001.sdmp, ioldfli.exe, 00000004.00000003.385574206.0000000009A10000.00000004.00000001.sdmp, ioldfli.exe, 00000007.00000003.404915131.0000000009A20000.00000004.00000001.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 1_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		1_2_00405302
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 1_2_00405CD8 FindFirstFileA,FindClose,		1_2_00405CD8
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 1_2_0040263E FindFirstFileA,		1_2_0040263E
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		2_2_00406453
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,		2_2_0040680D
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,		2_2_0040753D
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		2_2_00413A85
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,		2_2_0040DB1C
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,		2_2_00406F83
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,		2_2_00406390
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		2_1_00406453
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,		2_1_0040680D
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,		2_1_0040753D
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		2_1_00413A85
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,		2_1_0040DB1C
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,		2_1_00406F83
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,		2_1_00406390
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		6_2_00406453
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,		6_2_0040680D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,		6_2_0040753D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		6_2_00413A85
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,		6_2_0040DB1C
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,		6_2_00406F83
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,		6_2_00406390
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		6_1_00406453
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,		6_1_0040680D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,		6_1_0040753D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		6_1_00413A85
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,		6_1_0040DB1C
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,		6_1_00406F83
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,		6_1_00406390
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 7_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		7_2_00405302
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 7_2_00405CD8 FindFirstFileA,FindClose,		7_2_00405CD8
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 7_2_0040263E FindFirstFileA,		7_2_0040263E
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		9_2_00406453
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,		9_2_0040680D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,		9_2_0040753D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		9_2_00413A85
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,		9_2_0040DB1C
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,		9_2_00406F83
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,		9_2_00406390

Contains functionality to query local drives

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

2_2_00406084

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: netno.ddns.net:6577
Source: Malware configuration extractor	URLs: ddns.dbcdubai.com:6577
Source: Malware configuration extractor	URLs: netsecond.duckdns.org:6577

Uses dynamic DNS services

Source: unknown	DNS query: name: netno.ddns.net
Source: unknown	DNS query: name: netsecond.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49725 -> 99.83.154.118:6577

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 99.83.154.118 99.83.154.118

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELIANETTeliaCarrierEU TELIANETTeliaCarrierEU
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Contains functionality to download additional files from the internet

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_00405811 send,recv,

2_2_00405811

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: netno.ddns.net

URLs found in memory or binary data

Source: ioldfli.exe, ioldfli.exe, 00000007.00000002.406359323.0000000000409000.00000004.00020000.sdmp, ioldfli.exe, 00000009.00000000.400385140.0000000000409000.00000008.00020000.sdmp, US1pwXib6h.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: US1pwXib6h.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ioldfli.exe	String found in binary or memory: http://www.yandex.com
Source: US1pwXib6h.exe, 00000001.00000002.367065114.00000000024C0000.00000004.00000001.sdmp, US1pwXib6h.exe, 00000002.00000001.363673900.0000000000400000.00000040.00020000.sdmp, ioldfli.exe, 00000004.00000002.395120542.00000000024E0000.00000004.00000001.sdmp, ioldfli.exe, 00000006.00000002.394088134.0000000000400000.00000040.00000001.sdmp, ioldfli.exe, 00000007.00000002.406739098.00000000023A0000.00000004.00000001.sdmp, ioldfli.exe, 00000009.00000001.405669006.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://www.yandex.comsocks=

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		2_2_00409953
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		2_1_00409953
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		6_2_00409953
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		6_1_00409953
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		9_2_00409953

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 1_2_00404EB9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00404EB9

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_00411D8C GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetDIBits,calloc,GetDIBits,ReleaseDC,DeleteDC,DeleteObject,free,

2_2_00411D8C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,

2_2_00409953

Creates a DirectInput object (often for capturing keystrokes)

Source: US1pwXib6h.exe, 00000001.00000002.366959493.000000000078A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_00409CF9 RegisterRawInputDevices,GetRawInputData,malloc,GetRawInputData,PostQuitMessage,DefWindowProcW,

2_2_00409CF9

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		2_2_00409953
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		2_1_00409953
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		6_2_00409953
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		6_1_00409953
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00409953 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyW,ToUnicode,WideCharToMultiByte,GetKeyState,MapVirtualKeyW,GetKeyNameTextW,GetKeyState,WideCharToMultiByte,		9_2_00409953

System Summary:

Contains functionality to call native functions

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00411A5C select,__WSAFDIsSet,recv,recv,recv,ntohs,socket,connect,		2_1_00411A5C
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040262F malloc,ntohs,inet_ntoa,ntohs,inet_ntoa,malloc,ntohs,inet_ntoa,		2_1_0040262F

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 1_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		1_2_004030CB
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 7_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		7_2_004030CB

Detected potential crypto function

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 1_2_004046CA		1_2_004046CA
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 1_2_00405FA8		1_2_00405FA8
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 1_2_73861A98		1_2_73861A98
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00403047		2_2_00403047
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0041D049		2_2_0041D049
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00419463		2_2_00419463
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00415079		2_2_00415079
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00420420		2_2_00420420
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_004208C0		2_2_004208C0
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_004034D3		2_2_004034D3
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00414976		2_2_00414976
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00402E68		2_2_00402E68
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00416619		2_2_00416619
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040AEC6		2_2_0040AEC6
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00402AFC		2_2_00402AFC
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00415ABF		2_2_00415ABF
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00420F40		2_2_00420F40
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0041FF50		2_2_0041FF50
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040A728		2_2_0040A728
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00403047		2_1_00403047
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0041D049		2_1_0041D049
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00419463		2_1_00419463
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00415079		2_1_00415079
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00420420		2_1_00420420
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_004208C0		2_1_004208C0
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_004034D3		2_1_004034D3
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00414976		2_1_00414976
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00402E68		2_1_00402E68
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00416619		2_1_00416619
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040AEC6		2_1_0040AEC6
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00402AFC		2_1_00402AFC
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00415ABF		2_1_00415ABF
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00420F40		2_1_00420F40
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0041FF50		2_1_0041FF50
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040A728		2_1_0040A728
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00403047		6_2_00403047
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0041D049		6_2_0041D049
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00419463		6_2_00419463
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00415079		6_2_00415079
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00420420		6_2_00420420
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_004208C0		6_2_004208C0
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_004034D3		6_2_004034D3
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00414976		6_2_00414976
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00402E68		6_2_00402E68
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00416619		6_2_00416619
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040AEC6		6_2_0040AEC6
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00402AFC		6_2_00402AFC
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00415ABF		6_2_00415ABF
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00420F40		6_2_00420F40
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0041FF50		6_2_0041FF50
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040A728		6_2_0040A728
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00403047		6_1_00403047
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0041D049		6_1_0041D049
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00419463		6_1_00419463
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00415079		6_1_00415079
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00420420		6_1_00420420
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_004208C0		6_1_004208C0
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_004034D3		6_1_004034D3
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00414976		6_1_00414976
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00402E68		6_1_00402E68
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00416619		6_1_00416619
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040AEC6		6_1_0040AEC6
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00402AFC		6_1_00402AFC
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00415ABF		6_1_00415ABF
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00420F40		6_1_00420F40
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0041FF50		6_1_0041FF50
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040A728		6_1_0040A728
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 7_2_004046CA		7_2_004046CA
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 7_2_00405FA8		7_2_00405FA8
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00403047		9_2_00403047
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0041D049		9_2_0041D049
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00419463		9_2_00419463
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00415079		9_2_00415079
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00420420		9_2_00420420
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_004208C0		9_2_004208C0
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_004034D3		9_2_004034D3
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00414976		9_2_00414976
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00402E68		9_2_00402E68
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00416619		9_2_00416619
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040AEC6		9_2_0040AEC6
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00402AFC		9_2_00402AFC
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00415ABF		9_2_00415ABF
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00420F40		9_2_00420F40
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0041FF50		9_2_0041FF50
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040A728		9_2_0040A728

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: String function: 004081AA appears 330 times
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: String function: 0041F724 appears 93 times
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: String function: 00407F7A appears 33 times
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: String function: 0041F714 appears 33 times
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: String function: 004081AA appears 220 times
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: String function: 0041F724 appears 62 times

Sample file is different than original file name gathered from version info

Source: US1pwXib6h.exe, 00000001.00000003.363457760.0000000009BC6000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs US1pwXib6h.exe

Uses 32bit PE files

Source: US1pwXib6h.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/10@14/3

Contains functionality to check free disk space

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 1_2_004041CD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_004041CD

Contains functionality to enum processes or threads

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_00402570 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

2_2_00402570

Contains functionality to instantiate COM classes

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 1_2_00402020 CoCreateInstance,MultiByteToWideChar,

1_2_00402020

Creates files inside the user directory

Source: C:\Users\user\Desktop\US1pwXib6h.exe

File created: C:\Users\user\AppData\Roaming\fatbtifdnumsa

Jump to behavior

Creates mutexes

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Mutant created: \Sessions\1\BaseNamedObjects\oCTboYgC

Creates temporary files

Source: C:\Users\user\Desktop\US1pwXib6h.exe

File created: C:\Users\user\AppData\Local\Temp\nsz6A77.tmp

Jump to behavior

PE file has an executable .text section and no other executable section

Source: US1pwXib6h.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Source: C:\Users\user\Desktop\US1pwXib6h.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\Desktop\US1pwXib6h.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\US1pwXib6h.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: US1pwXib6h.exe	Virustotal: Detection: 15%
Source: US1pwXib6h.exe	ReversingLabs: Detection: 26%

Sample reads its own file content

Source: C:\Users\user\Desktop\US1pwXib6h.exe

File read: C:\Users\user\Desktop\US1pwXib6h.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\US1pwXib6h.exe 'C:\Users\user\Desktop\US1pwXib6h.exe'
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Process created: C:\Users\user\Desktop\US1pwXib6h.exe 'C:\Users\user\Desktop\US1pwXib6h.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe 'C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe'
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Process created: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe 'C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe 'C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe'
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Process created: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe 'C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe'
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Process created: C:\Users\user\Desktop\US1pwXib6h.exe 'C:\Users\user\Desktop\US1pwXib6h.exe'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Process created: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe 'C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Process created: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe 'C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: US1pwXib6h.exe, 00000001.00000003.363846894.0000000009C40000.00000004.00000001.sdmp, ioldfli.exe, 00000004.00000003.385574206.0000000009A10000.00000004.00000001.sdmp, ioldfli.exe, 00000007.00000003.404915131.0000000009A20000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: US1pwXib6h.exe, 00000001.00000003.363846894.0000000009C40000.00000004.00000001.sdmp, ioldfli.exe, 00000004.00000003.385574206.0000000009A10000.00000004.00000001.sdmp, ioldfli.exe, 00000007.00000003.404915131.0000000009A20000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Unpacked PE file: 2.2.US1pwXib6h.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.data:W;.eh_fram:R;.bss:W;.edata:R;.idata:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Unpacked PE file: 6.2.ioldfli.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.data:W;.eh_fram:R;.bss:W;.edata:R;.idata:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Unpacked PE file: 9.2.ioldfli.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.data:W;.eh_fram:R;.bss:W;.edata:R;.idata:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Unpacked PE file: 2.2.US1pwXib6h.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Unpacked PE file: 6.2.ioldfli.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Unpacked PE file: 9.2.ioldfli.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 1_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405CFF

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 1_2_73862F60 push eax; ret		1_2_73862F8E
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00409E61 push eax; mov dword ptr [esp], ebx		2_2_00409FDE
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040DCE9 push ecx; mov dword ptr [esp], 00423976h		2_2_0040DD9F
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah		2_2_0040DDD9
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040DCE9 push edx; mov dword ptr [esp], 00423997h		2_2_0040DDF7
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040DCE9 push edx; mov dword ptr [esp], esi		2_2_0040E394
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040A4BC push esi; mov dword ptr [esp], 00423347h		2_2_0040A543
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00409953 push edi; mov dword ptr [esp], 00000091h		2_2_00409980
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00409953 push ebp; mov dword ptr [esp], 00000090h		2_2_0040998D
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00411D8C push edx; mov dword ptr [esp], edi		2_2_00412058
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00406E04 push ecx; mov dword ptr [esp], ebx		2_2_00406E69
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040262F push edx; mov dword ptr [esp], edi		2_2_004027C8
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040262F push edx; mov dword ptr [esp], edi		2_2_00402815
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040262F push edx; mov dword ptr [esp], edi		2_2_004029B2
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_004146E1 push eax; mov dword ptr [esp], ebx		2_2_0041470B
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040970C push eax; mov dword ptr [esp], 0042B4A0h		2_2_004097B9
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00409E61 push eax; mov dword ptr [esp], ebx		2_1_00409FDE
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040DCE9 push ecx; mov dword ptr [esp], 00423976h		2_1_0040DD9F
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040DCE9 push ebp; mov dword ptr [esp], 0042398Ah		2_1_0040DDD9
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040DCE9 push edx; mov dword ptr [esp], 00423997h		2_1_0040DDF7
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040DCE9 push edx; mov dword ptr [esp], esi		2_1_0040E394
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040A4BC push esi; mov dword ptr [esp], 00423347h		2_1_0040A543
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00409953 push edi; mov dword ptr [esp], 00000091h		2_1_00409980
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00409953 push ebp; mov dword ptr [esp], 00000090h		2_1_0040998D
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00411D8C push edx; mov dword ptr [esp], edi		2_1_00412058
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00406E04 push ecx; mov dword ptr [esp], ebx		2_1_00406E69
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040262F push edx; mov dword ptr [esp], edi		2_1_004027C8
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040262F push edx; mov dword ptr [esp], edi		2_1_00402815
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040262F push edx; mov dword ptr [esp], edi		2_1_004029B2
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_004146E1 push eax; mov dword ptr [esp], ebx		2_1_0041470B
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040970C push eax; mov dword ptr [esp], 0042B4A0h		2_1_004097B9

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	File created: C:\Users\user\AppData\Local\Temp\nsmBB29.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	File created: C:\Users\user\AppData\Local\Temp\nst9B9A.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\US1pwXib6h.exe	File created: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe			Jump to dropped file
Source: C:\Users\user\Desktop\US1pwXib6h.exe	File created: C:\Users\user\AppData\Local\Temp\nsu6AA7.tmp\System.dll			Jump to dropped file

Boot Survival:

Creates an autostart registry key

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run goqkksd			Jump to behavior
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run goqkksd			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\US1pwXib6h.exe TID: 6552	Thread sleep time: -975000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe TID: 6772	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe TID: 7016	Thread sleep time: -30000s >= -30000s			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 1_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		1_2_00405302
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 1_2_00405CD8 FindFirstFileA,FindClose,		1_2_00405CD8
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 1_2_0040263E FindFirstFileA,		1_2_0040263E
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		2_2_00406453
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,		2_2_0040680D
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,		2_2_0040753D
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		2_2_00413A85
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,		2_2_0040DB1C
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,		2_2_00406F83
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,		2_2_00406390
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		2_1_00406453
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,		2_1_0040680D
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,		2_1_0040753D
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		2_1_00413A85
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,		2_1_0040DB1C
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,		2_1_00406F83
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: 2_1_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,		2_1_00406390
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		6_2_00406453
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,		6_2_0040680D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,		6_2_0040753D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		6_2_00413A85
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,		6_2_0040DB1C
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,		6_2_00406F83
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,		6_2_00406390
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		6_1_00406453
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,		6_1_0040680D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,		6_1_0040753D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		6_1_00413A85
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,		6_1_0040DB1C
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,		6_1_00406F83
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 6_1_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,		6_1_00406390
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 7_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		7_2_00405302
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 7_2_00405CD8 FindFirstFileA,FindClose,		7_2_00405CD8
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 7_2_0040263E FindFirstFileA,		7_2_0040263E
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00406453 MultiByteToWideChar,SetErrorMode,FindFirstFileW,FileTimeToSystemTime,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		9_2_00406453
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040680D SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,FindNextFileW,		9_2_0040680D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040753D MultiByteToWideChar,SetErrorMode,MultiByteToWideChar,wcscat,FindFirstFileW,FindClose,WideCharToMultiByte,MultiByteToWideChar,wcscat,WideCharToMultiByte,FindNextFileW,		9_2_0040753D
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00413A85 SetErrorMode,MultiByteToWideChar,FindFirstFileW,WideCharToMultiByte,WideCharToMultiByte,FindNextFileW,FindClose,		9_2_00413A85
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_0040DB1C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,		9_2_0040DB1C
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00406F83 SetErrorMode,FindFirstFileA,strcmp,strcmp,strcat,fopen,strncpy,fclose,strcpy,FindNextFileA,FindClose,		9_2_00406F83
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 9_2_00406390 FindFirstFileW,fopen,_snwprintf,fwprintf,_snwprintf,FindNextFileW,FindClose,fclose,		9_2_00406390

Contains functionality to query local drives

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_00406084 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

2_2_00406084

Contains functionality to query system information

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_004132E6 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,

2_2_004132E6

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Thread delayed: delay time: 75000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Thread delayed: delay time: 30000			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: US1pwXib6h.exe, 00000002.00000002.622761524.0000000000738000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Queries a list of all running processes

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 1_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405CFF

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 4_2_0019F83E mov eax, dword ptr fs:[00000030h]		4_2_0019F83E
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 4_2_0019F79E mov eax, dword ptr fs:[00000030h]		4_2_0019F79E
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: 4_2_0019F7DB mov eax, dword ptr fs:[00000030h]		4_2_0019F7DB

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Section loaded: unknown target: C:\Users\user\Desktop\US1pwXib6h.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Section loaded: unknown target: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Section loaded: unknown target: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe protection: execute and read and write			Jump to behavior

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_004121C0 keybd_event,

2_2_004121C0

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_004121EF SetCursorPos,mouse_event,

2_2_004121EF

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Process created: C:\Users\user\Desktop\US1pwXib6h.exe 'C:\Users\user\Desktop\US1pwXib6h.exe'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Process created: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe 'C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Process created: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe 'C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: US1pwXib6h.exe, 00000002.00000002.622988136.0000000000FC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: US1pwXib6h.exe, 00000002.00000002.622988136.0000000000FC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: US1pwXib6h.exe, 00000002.00000002.622988136.0000000000FC0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: US1pwXib6h.exe, 00000002.00000002.622988136.0000000000FC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_0040A115 GetLocalTime,

2_2_0040A115

Contains functionality to query the account / user name

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 2_2_004130E8 GetUserNameW,WideCharToMultiByte,

2_2_004130E8

Contains functionality to query windows version

Source: C:\Users\user\Desktop\US1pwXib6h.exe

Code function: 1_2_004059FF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

1_2_004059FF

Stealing of Sensitive Information:

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: %s\Google\Chrome\User Data\Default\Login Data		2_2_0040F281
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: %s\Chromium\User Data\Default\Login Data		2_2_0040F382
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: %s\Google\Chrome\User Data\Default\Login Data		2_1_0040F281
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: %s\Chromium\User Data\Default\Login Data		2_1_0040F382
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: %s\Google\Chrome\User Data\Default\Login Data		6_2_0040F281
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: %s\Chromium\User Data\Default\Login Data		6_2_0040F382
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: %s\Google\Chrome\User Data\Default\Login Data		6_1_0040F281
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: %s\Chromium\User Data\Default\Login Data		6_1_0040F382
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: %s\Google\Chrome\User Data\Default\Login Data		9_2_0040F281
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: %s\Chromium\User Data\Default\Login Data		9_2_0040F382

Contains functionality to steal Internet Explorer form passwords

Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2		2_2_0040D745
Source: C:\Users\user\Desktop\US1pwXib6h.exe	Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2		2_1_0040D745
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2		6_2_0040D745
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2		6_1_0040D745
Source: C:\Users\user\AppData\Roaming\fatbtifdnumsa\ioldfli.exe	Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2		9_2_0040D745

Remote Access Functionality:

Yara detected NetWire RAT

Source: Yara match	File source: 00000002.00000001.363673900.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.406739098.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.394088134.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000001.393727825.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.395120542.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000001.405669006.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.367065114.00000000024C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.621612280.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.406157548.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: US1pwXib6h.exe PID: 6476, type: MEMORY
Source: Yara match	File source: Process Memory Space: ioldfli.exe PID: 6768, type: MEMORY
Source: Yara match	File source: Process Memory Space: ioldfli.exe PID: 7088, type: MEMORY
Source: Yara match	File source: Process Memory Space: US1pwXib6h.exe PID: 6548, type: MEMORY
Source: Yara match	File source: Process Memory Space: ioldfli.exe PID: 7012, type: MEMORY
Source: Yara match	File source: Process Memory Space: ioldfli.exe PID: 6824, type: MEMORY
Source: Yara match	File source: 1.2.US1pwXib6h.exe.24c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.US1pwXib6h.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ioldfli.exe.24e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.ioldfli.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.US1pwXib6h.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.US1pwXib6h.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.1.ioldfli.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.US1pwXib6h.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.1.ioldfli.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ioldfli.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ioldfli.exe.23a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ioldfli.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ioldfli.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.1.ioldfli.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.ioldfli.exe.400000.0.raw.unpack, type: UNPACKEDPE