Windows Analysis Report ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe

Overview

General Information

Sample Name: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
Analysis ID: 491719
MD5: 3808d4a11cbee20896cca28f9a3bcb9b
SHA1: b3a533d6e00ace2ec0612c9af66c6dd69c5180b3
SHA256: 53c2e53d33f80e88b16cce06621f99680e0e5f387315cb81af97cee58080165a
Tags: DHLexegeoPRTRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Allocates memory in foreign processes
Contains functionality to steal Chrome passwords or cookies
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Creates processes with suspicious names
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Contains long sleeps (>= 3 min)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses reg.exe to modify the Windows registry
Contains functionality to retrieve information about pressed keystrokes
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 22.2.mobsync.exe.400000.0.unpack Malware Configuration Extractor: Remcos {"Version": "3.1.5 Pro", "Host:Port:Password": "ongod4ever.ddns.net:5652:0", "Assigned name": "ABLE GOD", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-8VTGWT", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
Multi AV Scanner detection for submitted file
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Virustotal: Detection: 26% Perma Link
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe ReversingLabs: Detection: 24%
Yara detected Remcos RAT
Source: Yara match File source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe ReversingLabs: Detection: 24%
Source: mobsync.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance:

barindex
Uses 32bit PE files
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 5_2_004170AC
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_00406176 FindFirstFileW,FindNextFileW, 5_2_00406176
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 22_2_004170AC
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_00406176 FindFirstFileW,FindNextFileW, 22_2_00406176
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 22_2_0040A3AF
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 22_2_0040A5CA
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004456A9 FindFirstFileExA, 22_2_004456A9
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 22_2_004077EE
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW, 22_2_00406930

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: ongod4ever.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: ongod4ever.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49771 -> 185.140.53.15:5652
Source: Iqzenco.exe, 00000010.00000003.750864485.00000000007B1000.00000004.00000001.sdmp String found in binary or memory: https://bl30uw.sn.files.1drv.com/y4mGst0byrg6Ub0CK8iKHaximJI4M7D1uUmqxfl02ZpIfKXbkyeYXQLL6P2J6UxS4Yz
Source: Iqzenco.exe, 00000010.00000003.752060770.00000000007A3000.00000004.00000001.sdmp String found in binary or memory: https://bl30uw.sn.files.1drv.com/y4maOmpRLgEZgKpnLv-hczrMb96VqtMQDZd-m0g51QRpK-v8c65WYNUi2NOLDdGNQiU
Source: Iqzenco.exe, 00000010.00000003.750846747.00000000007A3000.00000004.00000001.sdmp String found in binary or memory: https://bl30uw.sn.files.1drv.com/y4msI7_EyjC8cs97rdyt7ReCTl2WoedGiqx9hVOiugfpodFj4cXgoX5lAQfrGe41zrt
Source: Iqzenco.exe, 00000010.00000003.752060770.00000000007A3000.00000004.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=97429F42E815B766&resid=97429F42E815B766%21166&authkey=AFRFbbm
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0041242F Sleep,URLDownloadToFileW, 22_2_0041242F

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 22_2_004126A5
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004089BC GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx, 22_2_004089BC
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004126A5 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 22_2_004126A5

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe
Uses 32bit PE files
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Yara signature match
Source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\Public\Libraries\ocnezqI.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_00412598 ExitWindowsEx,LoadLibraryA,GetProcAddress, 22_2_00412598
Detected potential crypto function
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0042E02D 5_2_0042E02D
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_004330D1 5_2_004330D1
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0043424F 5_2_0043424F
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0042220F 5_2_0042220F
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0041A3F8 5_2_0041A3F8
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0042E02D 22_2_0042E02D
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004330D1 22_2_004330D1
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0043424F 22_2_0043424F
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0042220F 22_2_0042220F
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0041A3F8 22_2_0041A3F8
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004304DB 22_2_004304DB
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0044C56A 22_2_0044C56A
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004335CD 22_2_004335CD
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0043E6E0 22_2_0043E6E0
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0044A725 22_2_0044A725
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004378EC 22_2_004378EC
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004228AD 22_2_004228AD
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004339E5 22_2_004339E5
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004229F0 22_2_004229F0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\mobsync.exe Code function: String function: 0042EDF6 appears 64 times
Source: C:\Windows\SysWOW64\mobsync.exe Code function: String function: 00402064 appears 87 times
Source: C:\Windows\SysWOW64\mobsync.exe Code function: String function: 0042F460 appears 43 times
Source: C:\Windows\SysWOW64\mobsync.exe Code function: String function: 004165D8 appears 37 times
Source: C:\Windows\SysWOW64\mobsync.exe Code function: String function: 004020B5 appears 31 times
Source: C:\Windows\SysWOW64\mobsync.exe Code function: String function: 00404818 appears 31 times
PE file contains strange resources
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Iqzenco.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Iqzenco.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Virustotal: Detection: 26%
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe ReversingLabs: Detection: 24%
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File read: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe 'C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe'
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: C:\Windows\SysWOW64\reg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe 'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe'
Source: unknown Process created: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe 'C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe'
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_004132F7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 5_2_004132F7
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004132F7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 22_2_004132F7
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Iqzencolmjnhoxprppdkgkfyidrxfas[1] Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/10@49/2
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0040D1AD GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle, 5_2_0040D1AD
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_01
Source: C:\Windows\SysWOW64\mobsync.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-8VTGWT
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_01
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0040D41E FindResourceA,LoadResource,LockResource,SizeofResource, 22_2_0040D41E
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_00458435 push esi; ret 22_2_0045843E
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0042F4A6 push ecx; ret 22_2_0042F4B9
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_00450918 push eax; ret 22_2_00450936
PE file contains sections with non-standard names
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: section name: .....
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: section name: ......
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: section name: .....
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: section name: ....
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: section name: ......
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: section name: ....
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: section name: ......
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: section name: ......
Source: ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Static PE information: section name: .....
Source: Iqzenco.exe.0.dr Static PE information: section name: .....
Source: Iqzenco.exe.0.dr Static PE information: section name: ......
Source: Iqzenco.exe.0.dr Static PE information: section name: .....
Source: Iqzenco.exe.0.dr Static PE information: section name: ....
Source: Iqzenco.exe.0.dr Static PE information: section name: ......
Source: Iqzenco.exe.0.dr Static PE information: section name: ....
Source: Iqzenco.exe.0.dr Static PE information: section name: ......
Source: Iqzenco.exe.0.dr Static PE information: section name: ......
Source: Iqzenco.exe.0.dr Static PE information: section name: .....
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 5_2_0040D072
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: ......

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File created: \entrega de documentos dhl _ 27-09-21,pdf.exe
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File created: \entrega de documentos dhl _ 27-09-21,pdf.exe
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File created: \entrega de documentos dhl _ 27-09-21,pdf.exe
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File created: \entrega de documentos dhl _ 27-09-21,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File created: \entrega de documentos dhl _ 27-09-21,pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File created: \entrega de documentos dhl _ 27-09-21,pdf.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe File created: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Jump to dropped file
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Iqzenco Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Iqzenco Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon4828.png
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 5_2_0040D072
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Delayed program exit found
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0040D455 Sleep,ExitProcess, 5_2_0040D455
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0040D455 Sleep,ExitProcess, 22_2_0040D455
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\mobsync.exe TID: 3628 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe TID: 3880 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\secinit.exe TID: 2388 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\mobsync.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\mobsync.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\secinit.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 5_2_004170AC
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_00406176 FindFirstFileW,FindNextFileW, 5_2_00406176
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004170AC FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose, 22_2_004170AC
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_00406176 FindFirstFileW,FindNextFileW, 22_2_00406176
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0040A3AF FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 22_2_0040A3AF
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0040A5CA FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 22_2_0040A5CA
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004456A9 FindFirstFileExA, 22_2_004456A9
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004077EE __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 22_2_004077EE
Source: C:\Windows\SysWOW64\mobsync.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\secinit.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_00406930 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,StrToIntA,CreateDirectoryW,GetFileAttributesW,DeleteFileW, 22_2_00406930

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0042F07F
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0040D072 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress, 5_2_0040D072
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0044697D GetProcessHeap, 22_2_0044697D
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0043B789 mov eax, dword ptr fs:[00000030h] 22_2_0043B789
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0042F1CD SetUnhandledExceptionFilter, 5_2_0042F1CD
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0042F07F
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_004360A3
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0042F1CD SetUnhandledExceptionFilter, 22_2_0042F1CD
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0042F07F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_0042F07F
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_004360A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_004360A3
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0042F62C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_0042F62C

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2C60000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2C70000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2C80000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D10000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D20000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D30000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D40000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D50000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D60000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D70000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D80000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50600000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D90000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2DA0000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D30000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D40000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2D50000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2DE0000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 2DF0000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 3000000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 3010000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 3020000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 3030000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 3040000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 3050000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 50600000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 3060000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\mobsync.exe base: 3070000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 2F50000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 2F60000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 2F70000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 3200000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 3210000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 3220000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 3230000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 3240000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 3250000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 3260000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 3270000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 50600000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 3280000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory written: C:\Windows\SysWOW64\secinit.exe base: 3290000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50600000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2C60000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2C70000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2C80000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D10000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D20000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D30000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D50000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D60000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D70000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D80000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D90000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2DA0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 50600000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D30000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D40000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2D50000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2DE0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 2DF0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3000000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3010000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3020000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3030000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3040000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3050000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3060000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\mobsync.exe base: 3070000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 50600000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F50000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F60000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 2F70000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 3200000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 3210000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 3220000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 3230000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 3240000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 3250000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 3260000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 3270000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 3280000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Memory allocated: C:\Windows\SysWOW64\secinit.exe base: 3290000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2C80000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2D40000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2D80000 Jump to behavior
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2DA0000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 2D50000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 3010000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 3050000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Thread created: C:\Windows\SysWOW64\mobsync.exe EIP: 3070000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 2F70000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 3230000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 3270000 Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Thread created: C:\Windows\SysWOW64\secinit.exe EIP: 3290000 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe 22_2_0040F4B7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Process created: C:\Windows\SysWOW64\mobsync.exe C:\Windows\System32\mobsync.exe Jump to behavior
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Process created: C:\Windows\SysWOW64\secinit.exe C:\Windows\System32\secinit.exe Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_00414923 StrToIntA,mouse_event, 22_2_00414923
Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: mobsync.exe, 00000005.00000000.720932112.00000000035A0000.00000002.00020000.sdmp, mobsync.exe, 00000016.00000000.816684928.00000000038C0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW, 5_2_00441069
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW, 5_2_00449143
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_0044926C
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW, 5_2_00449373
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW, 22_2_00441069
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW, 22_2_00449143
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 22_2_0044926C
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoW, 22_2_00449373
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 22_2_00449440
Source: C:\Windows\SysWOW64\mobsync.exe Code function: GetLocaleInfoA, 22_2_0040D585
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_0042F2AB cpuid 5_2_0042F2AB
Source: C:\Users\Public\Libraries\Iqzenco\Iqzenco.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_004410D3 GetSystemTimeAsFileTime, 5_2_004410D3
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 22_2_0044190C _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 22_2_0044190C
Source: C:\Windows\SysWOW64\mobsync.exe Code function: 5_2_004166F6 GetComputerNameExW,GetUserNameW, 5_2_004166F6

Stealing of Sensitive Information:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\mobsync.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 22_2_0040A3AF
Source: C:\Windows\SysWOW64\mobsync.exe Code function: \key3.db 22_2_0040A3AF
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\mobsync.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 5_2_0040A291
Source: C:\Windows\SysWOW64\mobsync.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 22_2_0040A291

Remote Access Functionality:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 22.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.50601a02.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.secinit.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.50601a02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.mobsync.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.938674908.0000000002EA7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.827146573.0000000003178000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.939914286.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.827407780.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.851109980.0000000050601000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.850918949.0000000003327000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 1368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mobsync.exe PID: 4108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: secinit.exe PID: 6644, type: MEMORYSTR
Detected Remcos RAT
Source: mobsync.exe String found in binary or memory: Remcos_Mutex_Inj
Source: mobsync.exe, 00000005.00000002.937782591.0000000000400000.00000040.00000001.sdmp String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
Source: mobsync.exe String found in binary or memory: Remcos_Mutex_Inj
Source: mobsync.exe, 00000016.00000002.825096146.0000000000400000.00000040.00000001.sdmp String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
Source: secinit.exe, 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp String found in binary or memory: Remcos_Mutex_Inj
Source: secinit.exe, 0000001A.00000002.850111414.0000000000400000.00000040.00000001.sdmp String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicence_code.txtSoftware\WDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceUserAccess level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\SETTINGSoverridepth_unenc3.1.5 Prov|
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\mobsync.exe Code function: cmd.exe 22_2_0040559D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491719 Sample: ENTREGA DE DOCUMENTOS DHL _... Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 44 ongod4ever.ddns.net 2->44 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->68 70 6 other signatures 2->70 9 ENTREGA DE DOCUMENTOS DHL _ 27-09-21,pdf.exe 1 22 2->9         started        14 Iqzenco.exe 15 2->14         started        16 Iqzenco.exe 15 2->16         started        signatures3 process4 dnsIp5 50 sn-files.fe.1drv.com 9->50 52 onedrive.live.com 9->52 54 bl30uw.sn.files.1drv.com 9->54 42 C:\Users\Public\Libraries\...\Iqzenco.exe, PE32 9->42 dropped 78 Writes to foreign memory regions 9->78 80 Allocates memory in foreign processes 9->80 82 Creates a thread in another existing process (thread injection) 9->82 18 mobsync.exe 2 9->18         started        22 cmd.exe 1 9->22         started        24 cmd.exe 1 9->24         started        56 sn-files.fe.1drv.com 14->56 60 2 other IPs or domains 14->60 84 Multi AV Scanner detection for dropped file 14->84 26 mobsync.exe 14->26         started        58 sn-files.fe.1drv.com 16->58 62 2 other IPs or domains 16->62 28 secinit.exe 16->28         started        file6 signatures7 process8 dnsIp9 46 ongod4ever.ddns.net 185.140.53.15, 49771, 49774, 49775 DAVID_CRAIGGG Sweden 18->46 48 192.168.2.1 unknown unknown 18->48 72 Contains functionality to steal Chrome passwords or cookies 18->72 74 Contains functionality to steal Firefox passwords or cookies 18->74 76 Delayed program exit found 18->76 30 reg.exe 1 22->30         started        32 conhost.exe 22->32         started        34 cmd.exe 1 24->34         started        36 conhost.exe 24->36         started        signatures10 process11 process12 38 conhost.exe 30->38         started        40 conhost.exe 34->40         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.140.53.15
 ongod4ever.ddns.net Sweden
209623 DAVID_CRAIGGG false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
ongod4ever.ddns.net 185.140.53.15 true
onedrive.live.com unknown unknown
bl30uw.sn.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
ongod4ever.ddns.net true
  • Avira URL Cloud: safe
 unknown