Windows Analysis Report PO-003785GMHN.exe

Overview

General Information

Sample Name: PO-003785GMHN.exe
Analysis ID: 491604
MD5: 4577c41fc896a87df4513f13d29ee65a
SHA1: 38e76942a779e8b04cdf763cf993ceda76d049f2
SHA256: 144fc8c1a922dbb8162d72a94780f8559bbd9e6b1faa9e037fd33e809126b080
Tags: exexloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.serpascarnes.com/8iwd/"], "decoy": ["openhousedigitale.com", "helpindia.store", "josiahspicer.com", "wydancer.com", "athinatoday.com", "asiapartnerspoint.com", "freemakechefsrecipes.com", "metrolistingsservices.com", "assarytagged.quest", "ververevival.com", "cjdue.com", "iqmetaverse.com", "sh-spgdk.com", "spacecitybeauty.com", "phasmatoidea.com", "yz1866.com", "tenlog009.xyz", "gameprizes.xyz", "415know.com", "virus-jestock.com", "fmsgmbh.com", "chinaglobalawarenesscodeday.com", "sekailuxe.com", "luvjoyproperties.com", "amandlaparaffin.com", "dreamcenterabq.com", "finestpoints.com", "lbbed.com", "teamgamecocks.club", "fallscreation.com", "365gy.net", "vtprealtor.com", "emailassure.com", "yogiler.com", "ss2196.com", "csntow.com", "lechotamalamona.com", "kingdomofdavid.kiwi", "ismaella.com", "facebooking.club", "adelinesgrill.com", "uzh.biz", "vivimendes.com", "throwpillowco.com", "honestwealthbuilding.com", "inoutinsurance.xyz", "iqvisory.com", "mkbau-quickborn.com", "sellbesty.com", "south1995officiel.com", "austrahe.com", "trancendentalastroshop.store", "gotcookies.net", "meglutenfree.com", "clayexoticsatl.com", "tonerventes.com", "torresflooringdecorllc.com", "mentication.com", "formula-evolution.com", "likethespirit.com", "reddysinfotech.com", "laketappsapartment.com", "yimailg.com", "0kscp.com"]}
Multi AV Scanner detection for submitted file
Source: PO-003785GMHN.exe ReversingLabs: Detection: 26%
Yara detected FormBook
Source: Yara match File source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe ReversingLabs: Detection: 24%

Compliance:

barindex
Uses 32bit PE files
Source: PO-003785GMHN.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49806 version: TLS 1.2
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.366690021.0000000002C27000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460834520.00000000027D5000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484080545.0000000003629000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp, WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460217485.00000000027CF000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.485168569.0000000003623000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000010.00000002.384758094.00000000027C2000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb! source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484696549.00000000052E4000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: wkscli.pdbk source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: wkscli.pdb source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb; source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp
Source: Binary string: mobsync.pdb source: WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.366127292.0000000002C21000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460217485.00000000027CF000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.485168569.0000000003623000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb= source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbi source: WerFault.exe, 00000024.00000003.489142600.00000000055A1000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000010.00000003.366557441.0000000002C2D000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460535070.00000000027DB000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484105898.000000000362F000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb{ source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbO source: WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000010.00000003.366690021.0000000002C27000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460834520.00000000027D5000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484080545.0000000003629000.00000004.00000001.sdmp
Source: Binary string: DpiScaling.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb/ source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: secinit.pdb source: WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.serpascarnes.com/8iwd/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: PO-003785GMHN.exe, 00000001.00000003.309872431.00000000008E8000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.381838452.0000000004AC3000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000002.493420445.00000000048CD000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.505411077.00000000035E7000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: unknown DNS traffic detected: queries for: maxvilletruck.com
Source: global traffic HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: lValiHost: maxvilletruck.com
Source: global traffic HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: asweHost: maxvilletruck.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: asweHost: maxvilletruck.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn HTTP/1.1User-Agent: asweHost: maxvilletruck.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.33.128.70:443 -> 192.168.2.3:49806 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: PO-003785GMHN.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Yara signature match
Source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\Public\Libraries\uxvffdU.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
One or more processes crash
Source: C:\Windows\SysWOW64\DpiScaling.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 496
Detected potential crypto function
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_50481030 7_2_50481030
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_50488C80 7_2_50488C80
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_5049C95C 7_2_5049C95C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_50482D8C 7_2_50482D8C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_50482D90 7_2_50482D90
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_50481030 30_2_50481030
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_5049C95C 30_2_5049C95C
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_5049CBD0 30_2_5049CBD0
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_50488C80 30_2_50488C80
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_50482D8C 30_2_50482D8C
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_50482D90 30_2_50482D90
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_50482FB0 30_2_50482FB0
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_50481030 34_2_50481030
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_5049C95C 34_2_5049C95C
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_5049CBD0 34_2_5049CBD0
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_50488C80 34_2_50488C80
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_50482D8C 34_2_50482D8C
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_50482D90 34_2_50482D90
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_50482FB0 34_2_50482FB0
PE file contains strange resources
Source: PO-003785GMHN.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: PO-003785GMHN.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Udffvxu.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Udffvxu.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe 144FC8C1A922DBB8162D72A94780F8559BBD9E6B1FAA9E037FD33E809126B080
Source: PO-003785GMHN.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\PO-003785GMHN.exe File read: C:\Users\user\Desktop\PO-003785GMHN.exe Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO-003785GMHN.exe 'C:\Users\user\Desktop\PO-003785GMHN.exe'
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: C:\Windows\SysWOW64\DpiScaling.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 496
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: unknown Process created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe 'C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe'
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: C:\Windows\SysWOW64\reg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe 'C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe'
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Windows\SysWOW64\mobsync.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 484
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Windows\SysWOW64\secinit.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 236
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM ' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Udffvxubuutfiqkrvfkzhnjdxnhxzvn[1] Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBC8.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@32/22@3/1
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2228
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4776
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6824
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Users\user\Desktop\PO-003785GMHN.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000010.00000003.366690021.0000000002C27000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460834520.00000000027D5000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484080545.0000000003629000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp, WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460217485.00000000027CF000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.485168569.0000000003623000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000010.00000002.384758094.00000000027C2000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb! source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484696549.00000000052E4000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: wkscli.pdbk source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: wkscli.pdb source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb; source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp
Source: Binary string: mobsync.pdb source: WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000010.00000003.366127292.0000000002C21000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460217485.00000000027CF000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.485168569.0000000003623000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdbk source: WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb= source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbi source: WerFault.exe, 00000024.00000003.489142600.00000000055A1000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000010.00000003.366557441.0000000002C2D000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460535070.00000000027DB000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484105898.000000000362F000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467574711.0000000004B01000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb{ source: WerFault.exe, 00000024.00000003.489257744.00000000055A3000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000010.00000003.372987270.0000000004E90000.00000004.00000040.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbO source: WerFault.exe, 00000020.00000003.467662945.0000000004AD7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000010.00000003.366690021.0000000002C27000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.460834520.00000000027D5000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.484080545.0000000003629000.00000004.00000001.sdmp
Source: Binary string: DpiScaling.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb/ source: WerFault.exe, 00000010.00000003.372995217.0000000004E97000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000010.00000003.372979714.0000000004D41000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000003.467599900.0000000004AD0000.00000004.00000040.sdmp
Source: Binary string: secinit.pdb source: WerFault.exe, 00000024.00000003.489208654.00000000055D1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_5049B832 push eax; ret 7_2_5049B838
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_5049B89C push eax; ret 7_2_5049B8A2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_50489294 push ecx; retf 7_2_50489296
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_5049B83B push eax; ret 30_2_5049B8A2
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_5049B832 push eax; ret 30_2_5049B838
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_5049B89C push eax; ret 30_2_5049B8A2
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_5049C952 push esi; ret 30_2_5049C954
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_504999A4 push 3788F9D1h; ret 30_2_504999A9
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_50489294 push ecx; retf 30_2_50489296
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_50495EC4 push cs; retf 30_2_50495ECB
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 30_2_5049B7E5 push eax; ret 30_2_5049B838
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_5049B83B push eax; ret 34_2_5049B8A2
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_5049B832 push eax; ret 34_2_5049B838
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_5049B89C push eax; ret 34_2_5049B8A2
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_5049C952 push esi; ret 34_2_5049C954
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_504999A4 push 3788F9D1h; ret 34_2_504999A9
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_50489294 push ecx; retf 34_2_50489296
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_50495EC4 push cs; retf 34_2_50495ECB
Source: C:\Windows\SysWOW64\secinit.exe Code function: 34_2_5049B7E5 push eax; ret 34_2_5049B838
PE file contains sections with non-standard names
Source: PO-003785GMHN.exe Static PE information: section name: .....
Source: PO-003785GMHN.exe Static PE information: section name: ......
Source: PO-003785GMHN.exe Static PE information: section name: .....
Source: PO-003785GMHN.exe Static PE information: section name: ....
Source: PO-003785GMHN.exe Static PE information: section name: ......
Source: PO-003785GMHN.exe Static PE information: section name: ....
Source: PO-003785GMHN.exe Static PE information: section name: ......
Source: PO-003785GMHN.exe Static PE information: section name: ......
Source: PO-003785GMHN.exe Static PE information: section name: .....
Source: Udffvxu.exe.1.dr Static PE information: section name: .....
Source: Udffvxu.exe.1.dr Static PE information: section name: ......
Source: Udffvxu.exe.1.dr Static PE information: section name: .....
Source: Udffvxu.exe.1.dr Static PE information: section name: ....
Source: Udffvxu.exe.1.dr Static PE information: section name: ......
Source: Udffvxu.exe.1.dr Static PE information: section name: ....
Source: Udffvxu.exe.1.dr Static PE information: section name: ......
Source: Udffvxu.exe.1.dr Static PE information: section name: ......
Source: Udffvxu.exe.1.dr Static PE information: section name: .....
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: ......

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\PO-003785GMHN.exe File created: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Udffvxu Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Udffvxu Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon4828.png
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_504888C4 rdtsc 7_2_504888C4
Source: WerFault.exe, 00000020.00000002.493334163.00000000048B0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW-
Source: WerFault.exe, 00000024.00000002.508314078.00000000052D0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW(._
Source: WerFault.exe, 00000010.00000003.381716313.0000000004B2C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWF
Source: WerFault.exe, 00000010.00000003.381716313.0000000004B2C000.00000004.00000001.sdmp, WerFault.exe, 00000020.00000002.493420445.00000000048CD000.00000004.00000001.sdmp, WerFault.exe, 00000024.00000003.505411077.00000000035E7000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000010.00000003.381944567.0000000004B11000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWh

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_504888C4 rdtsc 7_2_504888C4
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\DpiScaling.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\secinit.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 7_2_50483C54 LdrInitializeThunk,LdrInitializeThunk, 7_2_50483C54

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 50480000 Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: CE0000 Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: CF0000 Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50480000 Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 170000 Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 180000 Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 50480000 Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: CF0000 Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: D00000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 50480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: CE0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: CF0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 170000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 180000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 50480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: CF0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: D00000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: CF0000 Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 180000 Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Thread created: C:\Windows\SysWOW64\secinit.exe EIP: D00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO-003785GMHN.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM ' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe Jump to behavior
Source: DpiScaling.exe, 00000007.00000000.358761161.0000000003470000.00000002.00020000.sdmp, mobsync.exe, 0000001E.00000000.455042807.00000000033F0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: DpiScaling.exe, 00000007.00000000.358761161.0000000003470000.00000002.00020000.sdmp, mobsync.exe, 0000001E.00000000.455042807.00000000033F0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: DpiScaling.exe, 00000007.00000000.358761161.0000000003470000.00000002.00020000.sdmp, mobsync.exe, 0000001E.00000000.455042807.00000000033F0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: DpiScaling.exe, 00000007.00000000.358761161.0000000003470000.00000002.00020000.sdmp, mobsync.exe, 0000001E.00000000.455042807.00000000033F0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\Udffvxu\Udffvxu.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000022.00000000.478897556.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.512235131.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.453766175.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.477831874.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.450597027.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.360555966.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.455142983.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.496353444.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.358896384.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.354062641.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.388052606.0000000050481000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.474384700.0000000050481000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491604 Sample: PO-003785GMHN.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->65 67 3 other signatures 2->67 8 PO-003785GMHN.exe 1 22 2->8         started        13 Udffvxu.exe 13 2->13         started        15 Udffvxu.exe 14 2->15         started        process3 dnsIp4 55 maxvilletruck.com 64.33.128.70, 443, 49743, 49744 AIRSTREAMCOMM-NETUS United States 8->55 53 C:\Users\Public\Libraries\...\Udffvxu.exe, PE32 8->53 dropped 69 Writes to foreign memory regions 8->69 71 Allocates memory in foreign processes 8->71 73 Creates a thread in another existing process (thread injection) 8->73 17 cmd.exe 1 8->17         started        20 cmd.exe 1 8->20         started        22 DpiScaling.exe 8->22         started        75 Multi AV Scanner detection for dropped file 13->75 24 mobsync.exe 13->24         started        26 secinit.exe 15->26         started        file5 signatures6 process7 signatures8 57 Uses cmd line tools excessively to alter registry or file data 17->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 17->59 28 cmd.exe 1 17->28         started        31 conhost.exe 17->31         started        33 reg.exe 1 20->33         started        35 conhost.exe 20->35         started        37 WerFault.exe 23 9 22->37         started        39 WerFault.exe 10 24->39         started        41 WerFault.exe 26->41         started        process9 signatures10 77 Uses cmd line tools excessively to alter registry or file data 28->77 43 conhost.exe 28->43         started        45 reg.exe 1 1 28->45         started        47 schtasks.exe 1 28->47         started        49 reg.exe 1 28->49         started        51 conhost.exe 33->51         started        process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
64.33.128.70
 maxvilletruck.com United States
11796 AIRSTREAMCOMM-NETUS false

Contacted Domains

Name IP Active
maxvilletruck.com 64.33.128.70 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.serpascarnes.com/8iwd/ true
  • Avira URL Cloud: safe
 low
https://maxvilletruck.com/errorserverlogrelaapirootterminationloggercongurat/Udffvxubuutfiqkrvfkzhnjdxnhxzvn false
  • Avira URL Cloud: safe
 unknown