Loading ...

Play interactive tourEdit tour

Windows Analysis Report oYIQVnvsyG.exe

Overview

General Information

Sample Name:oYIQVnvsyG.exe
Analysis ID:483803
MD5:43c573966b2b1d5d87ecd57eb2a81c33
SHA1:a08966162e39fa04e39d93b1d121f1bef6b3ec86
SHA256:d062fa8446a39adb2182c2a506e96801792855bbb0da2a9f278134630a5e5de2
Infos:

Most interesting Screenshot:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Contains long sleeps (>= 3 min)

Classification

Process Tree

  • System is w10x64
  • oYIQVnvsyG.exe (PID: 6364 cmdline: 'C:\Users\user\Desktop\oYIQVnvsyG.exe' MD5: 43C573966B2B1D5D87ECD57EB2A81C33)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: oYIQVnvsyG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll
Source: oYIQVnvsyG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: oYIQVnvsyG.exe, 00000000.00000002.239893622.00000000014B2000.00000004.00000020.sdmpString found in binary or memory: http://go.microsz.R
Source: oYIQVnvsyG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: oYIQVnvsyG.exe, 00000000.00000000.229505995.0000000000F6A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePWCRLauncher.exe4 vs oYIQVnvsyG.exe
Source: oYIQVnvsyG.exe, 00000000.00000002.239887172.00000000014A9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs oYIQVnvsyG.exe
Source: oYIQVnvsyG.exeBinary or memory string: OriginalFilenamePWCRLauncher.exe4 vs oYIQVnvsyG.exe
Source: oYIQVnvsyG.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: oYIQVnvsyG.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeFile read: C:\Users\user\Desktop\oYIQVnvsyG.exeJump to behavior
Source: oYIQVnvsyG.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: classification engineClassification label: clean2.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\oYIQVnvsyG.exe.logJump to behavior
Source: oYIQVnvsyG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll
Source: oYIQVnvsyG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\oYIQVnvsyG.exe TID: 6396Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\oYIQVnvsyG.exeMemory allocated: page read and write | page guard

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionMasquerading1OS Credential DumpingVirtualization/Sandbox Evasion21Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.