Loading ...

Play interactive tourEdit tour

Windows Analysis Report hTu8FeYy28.exe

Overview

General Information

Sample Name:hTu8FeYy28.exe
Analysis ID:499635
MD5:a003b564bd23880f99a29006e780a89b
SHA1:8465374554a0c6c02f7914c1278afd79e96ed8c4
SHA256:5bc09c3c2a751169a32cf97a62765f127bce2d0eadce3481a6a831b6fdcc044e
Tags:exeModiLoader
Infos:

Most interesting Screenshot:

Detection

Clipboard Hijacker
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Yara detected Clipboard Hijacker
Contains functionality to compare user and computer (likely to detect sandboxes)
Uses schtasks.exe or at.exe to add and modify task schedules
Injects a PE file into a foreign processes
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Uses reg.exe to modify the Windows registry
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Dropped file seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • hTu8FeYy28.exe (PID: 3092 cmdline: 'C:\Users\user\Desktop\hTu8FeYy28.exe' MD5: A003B564BD23880F99A29006E780A89B)
    • hTu8FeYy28.exe (PID: 2336 cmdline: C:\Users\user\Desktop\hTu8FeYy28.exe MD5: A003B564BD23880F99A29006E780A89B)
      • schtasks.exe (PID: 4600 cmdline: /C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4528 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2824 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6920 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 1716 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • conhost.exe (PID: 4776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • fodhelper.exe (PID: 3548 cmdline: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe MD5: A003B564BD23880F99A29006E780A89B)
  • cleanup

Malware Configuration

Threatname: Clipboard Hijacker

{"Crypto Addresses": ["Ae2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPE", "addr1q9clx0ud02ehvzuqqtqu4tchl6g9kkzllcl2zjpan9kp39m37vlc674nwc9cqqkpe2h30l5stdv9ll3759yrmxtvrztspanadd", "bc1q7hrr7lvjrgdcskmnydwry3629c73qfx9gpk2mc", "cosmos1l8p5237wclrtqf8upw8quwuj32f30zv8gej0jc", "ltc1q0jyf5za7n5pxuz8tgvhzjkaaf5cz5kykp5cd55", "D7Dhy317Lph7ZAx4GALQtYdzcFrx35GSNK", "AYFTxSxSzjDWb2D3fs4TjjsswB41M6Tw6T", "7UT25554RQSTW2S44UVFYWZIZDWQIKUT3O7LG4QBOYDJ7IIEBVFYZZW4YI", "MFxCfYKXwLG1eM93xuNoNCzLoy7an3Ekud", "00000L0000T00MON00000000000000000000000LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ00000000000000W0000000", "D2eMjtv3Fh2EnsZ8SH4FCyvwxNawtpHDxXzBgS4sME4M", "0x4b222739496bcf2AA1F609585dACd8858943B39c", "84VKKNB6tQLam7LPn9PTdKYUfZepoYTfmMMYFEa7btqs7XMqyPWpMdq9FGSvZKsVNgDddtC5JTr1p3ACp9Cbod2f8KABjkw", "CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG", "t3SCmhgjNi8B5amJUw61Tc86B9CsTTJvPy7", "TM5d5ZK4uEDe3Ry8gy35nTQLcswbHDzS95", "18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "Z18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "3JxVQHXyiwwws3Yykkw2sUbRNkgimDi725", "bnb1xw6czzmz0arvpf88ufwj4k0yfwfd8vps9f43xu", "LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmpJoeSecurity_Clipboard_HijackerYara detected Clipboard HijackerJoe Security
    00000011.00000001.524041171.0000000000400000.00000040.00020000.sdmpJoeSecurity_Clipboard_HijackerYara detected Clipboard HijackerJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.2.hTu8FeYy28.exe.400000.0.raw.unpackJoeSecurity_Clipboard_HijackerYara detected Clipboard HijackerJoe Security
        17.2.hTu8FeYy28.exe.400000.0.unpackJoeSecurity_Clipboard_HijackerYara detected Clipboard HijackerJoe Security
          17.1.hTu8FeYy28.exe.400000.0.raw.unpackJoeSecurity_Clipboard_HijackerYara detected Clipboard HijackerJoe Security
            17.1.hTu8FeYy28.exe.400000.0.unpackJoeSecurity_Clipboard_HijackerYara detected Clipboard HijackerJoe Security

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 17.1.hTu8FeYy28.exe.400000.0.unpackMalware Configuration Extractor: Clipboard Hijacker {"Crypto Addresses": ["Ae2tdPwUPEZDqNhACJ3ZT5NdXjkNffGAwa4Mc9N87udKWYzt1VnFngLMnPE", "addr1q9clx0ud02ehvzuqqtqu4tchl6g9kkzllcl2zjpan9kp39m37vlc674nwc9cqqkpe2h30l5stdv9ll3759yrmxtvrztspanadd", "bc1q7hrr7lvjrgdcskmnydwry3629c73qfx9gpk2mc", "cosmos1l8p5237wclrtqf8upw8quwuj32f30zv8gej0jc", "ltc1q0jyf5za7n5pxuz8tgvhzjkaaf5cz5kykp5cd55", "D7Dhy317Lph7ZAx4GALQtYdzcFrx35GSNK", "AYFTxSxSzjDWb2D3fs4TjjsswB41M6Tw6T", "7UT25554RQSTW2S44UVFYWZIZDWQIKUT3O7LG4QBOYDJ7IIEBVFYZZW4YI", "MFxCfYKXwLG1eM93xuNoNCzLoy7an3Ekud", "00000L0000T00MON00000000000000000000000LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ00000000000000W0000000", "D2eMjtv3Fh2EnsZ8SH4FCyvwxNawtpHDxXzBgS4sME4M", "0x4b222739496bcf2AA1F609585dACd8858943B39c", "84VKKNB6tQLam7LPn9PTdKYUfZepoYTfmMMYFEa7btqs7XMqyPWpMdq9FGSvZKsVNgDddtC5JTr1p3ACp9Cbod2f8KABjkw", "CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG", "t3SCmhgjNi8B5amJUw61Tc86B9CsTTJvPy7", "TM5d5ZK4uEDe3Ry8gy35nTQLcswbHDzS95", "18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "Z18SJmQtHkoRMaaJSCPHn85u5dgTXTiDBZN", "3JxVQHXyiwwws3Yykkw2sUbRNkgimDi725", "bnb1xw6czzmz0arvpf88ufwj4k0yfwfd8vps9f43xu", "LZRNV3CB6Ei9bZtXDQ2k6Sy7emnNX4rzTQ"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: hTu8FeYy28.exeVirustotal: Detection: 12%Perma Link
              Source: 17.1.hTu8FeYy28.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
              Source: 17.2.hTu8FeYy28.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen

              Compliance:

              barindex
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeUnpacked PE file: 17.2.hTu8FeYy28.exe.400000.0.unpack
              Source: hTu8FeYy28.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
              Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49821 version: TLS 1.2
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
              Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
              Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
              Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
              Source: global trafficHTTP traffic detected: GET /attachments/895973838674862135/895974928933875752/Lnouxqkbbgkvxwmwtigvjxpvnenadlc HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
              Source: global trafficHTTP traffic detected: GET /attachments/895973838674862135/895974928933875752/Lnouxqkbbgkvxwmwtigvjxpvnenadlc HTTP/1.1User-Agent: asweHost: cdn.discordapp.comCache-Control: no-cache
              Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49821 version: TLS 1.2
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeCode function: 17_2_00401FEF OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,17_2_00401FEF
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeCode function: 17_2_00401F8B GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,GlobalFree,17_2_00401F8B
              Source: hTu8FeYy28.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
              Source: hTu8FeYy28.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: hTu8FeYy28.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: fodhelper.exe.17.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: fodhelper.exe.17.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe 5BC09C3C2A751169A32CF97A62765F127BCE2D0EADCE3481A6A831B6FDCC044E
              Source: hTu8FeYy28.exeVirustotal: Detection: 12%
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeFile read: C:\Users\user\Desktop\hTu8FeYy28.exeJump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\hTu8FeYy28.exe 'C:\Users\user\Desktop\hTu8FeYy28.exe'
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess created: C:\Users\user\Desktop\hTu8FeYy28.exe C:\Users\user\Desktop\hTu8FeYy28.exe
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' '
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
              Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess created: C:\Users\user\Desktop\hTu8FeYy28.exe C:\Users\user\Desktop\hTu8FeYy28.exeJump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' 'Jump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' 'Jump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.batJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeMutant created: \Sessions\1\BaseNamedObjects\CH4PG3PB-6HT2VI9C-O2NL2NO5-QP1BW0EG
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4776:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_01
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Lnouxqkbbgkvxwmwtigvjxpvnenadlc[1]Jump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
              Source: classification engineClassification label: mal92.spyw.evad.winEXE@21/8@1/1
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: hTu8FeYy28.exeStatic file information: File size 1195008 > 1048576

              Data Obfuscation:

              barindex
              Detected unpacking (changes PE section rights)Show sources
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeUnpacked PE file: 17.2.hTu8FeYy28.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
              Detected unpacking (overwrites its own PE header)Show sources
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeUnpacked PE file: 17.2.hTu8FeYy28.exe.400000.0.unpack
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeCode function: 17_2_00401000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,17_2_00401000
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn 'Azure-Update-Task' /tr 'C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe'
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeCode function: 17_2_00401000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,17_2_00401000
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Contains functionality to compare user and computer (likely to detect sandboxes)Show sources
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeCode function: GetModuleFileNameW,SHGetFolderPathW,PathAppendW,PathIsDirectoryW,CreateDirectoryW,PathAppendW,StrStrW,CopyFileW,ExitProcess,17_2_00401272
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeCode function: 17_2_00401000 LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,17_2_00401000

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeMemory written: C:\Users\user\Desktop\hTu8FeYy28.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\hTu8FeYy28.exeProcess created: C:\Users\user\Desktop\hTu8FeYy28.exe C:\Users\user\Desktop\hTu8FeYy28.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.batJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /fJump to behavior
              Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: fodhelper.exe, 0000001A.00000002.561710957.0000000000E80000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected Clipboard HijackerShow sources
              Source: Yara matchFile source: 17.2.hTu8FeYy28.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.hTu8FeYy28.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.1.hTu8FeYy28.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.1.hTu8FeYy28.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.526837252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000001.524041171.0000000000400000.00000040.00020000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesClipboard Data2Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScripting1Application Shimming1Scheduled Task/Job1Modify Registry1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsNative API1Logon Script (Windows)Application Shimming1Process Injection112Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet