Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Variant.Graftor.981190.24096.12674

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.Graftor.981190.24096.12674 (renamed file extension from 12674 to exe)
Analysis ID:451828
MD5:19cac1ee3a6e5e9f83054616f5d5ce6f
SHA1:5b7f16098760f887b0bdc5fee9223d022e0597fb
SHA256:3709110cc04e0eaffe10bec5e8a5c82b858bee4195975e7bcd30c50b246f56c3
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_lOulvHP91.bip"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Variant.Graftor.981190.24096.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000000.325526342.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
        00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.SecuriteInfo.com.Variant.Graftor.981190.24096.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
            2.0.SecuriteInfo.com.Variant.Graftor.981190.24096.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_lOulvHP91.bip"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeVirustotal: Detection: 14%Perma Link
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeReversingLabs: Detection: 19%
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://kinmirai.org/wp-content/bin_lOulvHP91.bip
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeString found in binary or memory: http://ocsp.digicert.com0O
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeString found in binary or memory: http://www.digicert.com/CPS0
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000002.850725852.000000000073A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A953FF NtAllocateVirtualMemory,2_2_02A953FF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A953FB NtAllocateVirtualMemory,2_2_02A953FB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A95541 NtAllocateVirtualMemory,2_2_02A95541
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A953FF2_2_02A953FF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93EB22_2_02A93EB2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A97EB42_2_02A97EB4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A97AEF2_2_02A97AEF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A906E22_2_02A906E2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A97AF52_2_02A97AF5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A926CA2_2_02A926CA
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93EC02_2_02A93EC0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A906D22_2_02A906D2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A972292_2_02A97229
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A906262_2_02A90626
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A986052_2_02A98605
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A912072_2_02A91207
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A9824D2_2_02A9824D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93FA82_2_02A93FA8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A937A52_2_02A937A5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93FE92_2_02A93FE9
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93BE22_2_02A93BE2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A953FB2_2_02A953FB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A947FF2_2_02A947FF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93FC22_2_02A93FC2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A91B2E2_2_02A91B2E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A91B242_2_02A91B24
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A917062_2_02A91706
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A96F732_2_02A96F73
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A943452_2_02A94345
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A98B5E2_2_02A98B5E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A98B512_2_02A98B51
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A938B42_2_02A938B4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A97CB72_2_02A97CB7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A98C812_2_02A98C81
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A940EF2_2_02A940EF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A904C02_2_02A904C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A958D62_2_02A958D6
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A924072_2_02A92407
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A9207C2_2_02A9207C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A9444B2_2_02A9444B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A958442_2_02A95844
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A951A42_2_02A951A4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A901E92_2_02A901E9
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A905D82_2_02A905D8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A921DB2_2_02A921DB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A901DA2_2_02A901DA
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A925672_2_02A92567
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A96D5C2_2_02A96D5C
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeStatic PE information: invalid certificate
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000000.325551670.0000000000435000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametypo.exe vs SecuriteInfo.com.Variant.Graftor.981190.24096.exe
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeBinary or memory string: OriginalFilenametypo.exe vs SecuriteInfo.com.Variant.Graftor.981190.24096.exe
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeFile created: C:\Users\user\AppData\Local\Temp\~DF84A7F2EA291541CF.TMPJump to behavior
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeVirustotal: Detection: 14%
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeReversingLabs: Detection: 19%
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\typo.pdb source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000002.00000002.852029233.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, type: SAMPLE
              Source: Yara matchFile source: 2.2.SecuriteInfo.com.Variant.Graftor.981190.24096.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.SecuriteInfo.com.Variant.Graftor.981190.24096.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000000.325526342.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.850474872.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A99662 push esp; iretd 2_2_02A99671
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A99672 push esp; iretd 2_2_02A99675
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A99676 push esp; iretd 2_2_02A99679
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93FA8 push ebp; retf 2_2_02A93FC5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A9634A push 00000020h; retf 2_2_02A9634C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A91589 push ebp; retf 2_2_02A9158F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A935DC push ebp; ret 2_2_02A935FF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93EB2 2_2_02A93EB2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A97EB4 2_2_02A97EB4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A906E2 2_2_02A906E2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A906D2 2_2_02A906D2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A90626 2_2_02A90626
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A98605 2_2_02A98605
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93FA8 2_2_02A93FA8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A937A5 2_2_02A937A5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93FE9 2_2_02A93FE9
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93FC2 2_2_02A93FC2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A94345 2_2_02A94345
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A98B51 2_2_02A98B51
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A97CB7 2_2_02A97CB7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A940EF 2_2_02A940EF
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A904C0 2_2_02A904C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A92407 2_2_02A92407
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A9207C 2_2_02A9207C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A905D8 2_2_02A905D8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A921DB 2_2_02A921DB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A92567 2_2_02A92567
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A96D5C 2_2_02A96D5C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93EB2 rdtsc 2_2_02A93EB2
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

              Anti Debugging:

              barindex
              Found potential dummy code loops (likely to delay analysis)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeProcess Stats: CPU usage > 90% for more than 60s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A93EB2 rdtsc 2_2_02A93EB2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A96B34 mov eax, dword ptr fs:[00000030h]2_2_02A96B34
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A970BE mov eax, dword ptr fs:[00000030h]2_2_02A970BE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A97CB7 mov eax, dword ptr fs:[00000030h]2_2_02A97CB7
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A95022 mov eax, dword ptr fs:[00000030h]2_2_02A95022
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000002.850792525.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000002.850792525.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000002.850792525.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
              Source: SecuriteInfo.com.Variant.Graftor.981190.24096.exe, 00000002.00000002.850792525.0000000000CC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981190.24096.exeCode function: 2_2_02A96E24 cpuid 2_2_02A96E24

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery21Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery111Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.