Windows Analysis Report model 800 DD.exe

Overview

General Information

Sample Name: model 800 DD.exe
Analysis ID: 458837
MD5: d7191bd9419ce60f57122e0a3b6d8449
SHA1: 7b847b776a23dff9fa06429f7ab6bf05a27cf51c
SHA256: bb422900a755e4aa68626b1451545a2e36e1acf79d975ae6bda7da78313c3205
Tags: AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 6.2.model 800 DD.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "accounts@alexfoxfreight.com", "Password": "Ueos*93sj!#!12", "Host": "mail.alexfoxfreight.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Virustotal: Detection: 35% Perma Link
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe ReversingLabs: Detection: 76%
Multi AV Scanner detection for submitted file
Source: model 800 DD.exe Virustotal: Detection: 35% Perma Link
Source: model 800 DD.exe ReversingLabs: Detection: 76%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: model 800 DD.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.model 800 DD.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 22.2.rmKknnU.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: model 800 DD.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: model 800 DD.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49738 -> 172.81.56.199:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49739 -> 172.81.56.199:587
Source: model 800 DD.exe, 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp String found in binary or memory: http://BYnWgg.com
Source: rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: model 800 DD.exe, 00000006.00000002.501035203.0000000002CAC000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%
Source: rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: model 800 DD.exe, 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, rmKknnU.exe, 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: model 800 DD.exe, 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, rmKknnU.exe, 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\model 800 DD.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 6.2.model 800 DD.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b22DD7206u002dF3D4u002d4291u002d86BBu002d4D02D5CEE8A3u007d/C5FE9DF1u002dDE0Bu002d4117u002d9865u002dE2D99C7738EE.cs Large array initialization: .cctor: array initializer size 12063
Detected potential crypto function
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 3_2_0031BA7C 3_2_0031BA7C
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 3_2_0031B62C 3_2_0031B62C
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 3_2_00319808 3_2_00319808
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 4_2_003DBA7C 4_2_003DBA7C
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 4_2_003DB62C 4_2_003DB62C
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 4_2_003D9808 4_2_003D9808
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_0076BA7C 6_2_0076BA7C
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_0076B62C 6_2_0076B62C
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_00D124A0 6_2_00D124A0
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_011047A0 6_2_011047A0
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_011046D0 6_2_011046D0
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_0110D5EB 6_2_0110D5EB
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_05F76510 6_2_05F76510
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_05F77128 6_2_05F77128
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_05F790F0 6_2_05F790F0
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_05F76858 6_2_05F76858
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_062C5690 6_2_062C5690
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_062C8FE0 6_2_062C8FE0
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_062C89A9 6_2_062C89A9
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_00769808 6_2_00769808
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Code function: 22_2_00AFB62C 22_2_00AFB62C
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Code function: 22_2_00AFBA7C 22_2_00AFBA7C
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Code function: 22_2_02ED47A0 22_2_02ED47A0
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Code function: 22_2_02ED46D0 22_2_02ED46D0
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Code function: 22_2_02ED46B0 22_2_02ED46B0
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Code function: 22_2_02EDD5E1 22_2_02EDD5E1
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Code function: 22_2_00AF9808 22_2_00AF9808
PE file contains strange resources
Source: model 800 DD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: model 800 DD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: model 800 DD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rmKknnU.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rmKknnU.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: rmKknnU.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: model 800 DD.exe, 00000001.00000000.226326900.0000000000D32000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStackBehavio.exe< vs model 800 DD.exe
Source: model 800 DD.exe Binary or memory string: OriginalFilename vs model 800 DD.exe
Source: model 800 DD.exe, 00000003.00000000.269543360.0000000000312000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStackBehavio.exe< vs model 800 DD.exe
Source: model 800 DD.exe Binary or memory string: OriginalFilename vs model 800 DD.exe
Source: model 800 DD.exe, 00000004.00000000.271691612.00000000003D2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStackBehavio.exe< vs model 800 DD.exe
Source: model 800 DD.exe Binary or memory string: OriginalFilename vs model 800 DD.exe
Source: model 800 DD.exe, 00000006.00000000.273264577.0000000000762000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameStackBehavio.exe< vs model 800 DD.exe
Source: model 800 DD.exe, 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWpPJaFVmXtHjOcxkbOqsNEqrCsGpa.exe( vs model 800 DD.exe
Source: model 800 DD.exe, 00000006.00000002.504985782.0000000005CA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs model 800 DD.exe
Source: model 800 DD.exe Binary or memory string: OriginalFilenameStackBehavio.exe< vs model 800 DD.exe
Uses 32bit PE files
Source: model 800 DD.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: model 800 DD.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: rmKknnU.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 6.2.model 800 DD.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.model 800 DD.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/4@0/0
Source: C:\Users\user\Desktop\model 800 DD.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\model 800 DD.exe.log Jump to behavior
Source: model 800 DD.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\model 800 DD.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\model 800 DD.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: model 800 DD.exe Virustotal: Detection: 35%
Source: model 800 DD.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\Desktop\model 800 DD.exe File read: C:\Users\user\Desktop\model 800 DD.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\model 800 DD.exe 'C:\Users\user\Desktop\model 800 DD.exe'
Source: C:\Users\user\Desktop\model 800 DD.exe Process created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
Source: C:\Users\user\Desktop\model 800 DD.exe Process created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
Source: C:\Users\user\Desktop\model 800 DD.exe Process created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe 'C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe 'C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe'
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe
Source: C:\Users\user\Desktop\model 800 DD.exe Process created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: model 800 DD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: model 800 DD.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: model 800 DD.exe Static file information: File size 1348608 > 1048576
Source: model 800 DD.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13b800
Source: model 800 DD.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: initial sample Static PE information: section name: .text entropy: 7.57001311304
Source: initial sample Static PE information: section name: .text entropy: 7.57001311304

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\model 800 DD.exe File created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Jump to dropped file
Source: C:\Users\user\Desktop\model 800 DD.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run rmKknnU Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run rmKknnU Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\model 800 DD.exe File opened: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\model 800 DD.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\model 800 DD.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\model 800 DD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\model 800 DD.exe Window / User API: threadDelayed 880 Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Window / User API: threadDelayed 8974 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Window / User API: threadDelayed 9632 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\model 800 DD.exe TID: 4940 Thread sleep time: -40336s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe TID: 4492 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe TID: 5980 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe TID: 5752 Thread sleep time: -44073s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe TID: 4840 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe TID: 4960 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe TID: 1844 Thread sleep count: 226 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe TID: 1844 Thread sleep count: 9632 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\model 800 DD.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\model 800 DD.exe Thread delayed: delay time: 40336 Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Thread delayed: delay time: 44073 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: model 800 DD.exe, 00000006.00000002.504985782.0000000005CA0000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.504865385.00000000061F0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: model 800 DD.exe, 00000006.00000002.504985782.0000000005CA0000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.504865385.00000000061F0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: model 800 DD.exe, 00000006.00000002.504985782.0000000005CA0000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.504865385.00000000061F0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: model 800 DD.exe, 00000006.00000002.504985782.0000000005CA0000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.504865385.00000000061F0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\model 800 DD.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\model 800 DD.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\model 800 DD.exe Memory written: C:\Users\user\Desktop\model 800 DD.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\model 800 DD.exe Process created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Process created: C:\Users\user\Desktop\model 800 DD.exe C:\Users\user\Desktop\model 800 DD.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Process created: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Jump to behavior
Source: model 800 DD.exe, 00000006.00000002.498969002.0000000001600000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.498750905.0000000001A30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: model 800 DD.exe, 00000006.00000002.498969002.0000000001600000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.498750905.0000000001A30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: model 800 DD.exe, 00000006.00000002.498969002.0000000001600000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.498750905.0000000001A30000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: model 800 DD.exe, 00000006.00000002.498969002.0000000001600000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.498750905.0000000001A30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: model 800 DD.exe, 00000006.00000002.498969002.0000000001600000.00000002.00000001.sdmp, rmKknnU.exe, 00000016.00000002.498750905.0000000001A30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Users\user\Desktop\model 800 DD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Users\user\Desktop\model 800 DD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rmKknnU\rmKknnU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\model 800 DD.exe Code function: 6_2_05F754E4 GetUserNameW, 6_2_05F754E4
Source: C:\Users\user\Desktop\model 800 DD.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 6.2.model 800 DD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rmKknnU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 6.2.model 800 DD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rmKknnU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: model 800 DD.exe PID: 4632, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: model 800 DD.exe PID: 4632, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 6.2.model 800 DD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rmKknnU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 6.2.model 800 DD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rmKknnU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.495139244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.500269130.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.495247778.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.499443817.0000000003061000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: model 800 DD.exe PID: 4632, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458837 Sample: model 800 DD.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 6 other signatures 2->36 6 model 800 DD.exe 3 2->6         started        10 rmKknnU.exe 3 2->10         started        12 rmKknnU.exe 2 2->12         started        process3 file4 24 C:\Users\user\...\model 800 DD.exe.log, ASCII 6->24 dropped 38 Injects a PE file into a foreign processes 6->38 14 model 800 DD.exe 2 5 6->14         started        18 model 800 DD.exe 6->18         started        20 model 800 DD.exe 6->20         started        40 Multi AV Scanner detection for dropped file 10->40 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->42 44 Machine Learning detection for dropped file 10->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->46 22 rmKknnU.exe 2 10->22         started        signatures5 process6 file7 26 C:\Users\user\AppData\Roaming\...\rmKknnU.exe, PE32 14->26 dropped 28 C:\Users\user\...\rmKknnU.exe:Zone.Identifier, ASCII 14->28 dropped 48 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->48 signatures8
No contacted IP infos