Loading ...

Play interactive tourEdit tour

Windows Analysis Report ZM80M76Nwv.exe

Overview

General Information

Sample Name:ZM80M76Nwv.exe
Analysis ID:528754
MD5:3c93f57536f15046b52f4340edba42da
SHA1:a7b4f2c0390ebc7c4b7aa5bbfbb60503aba08955
SHA256:493ea8db7e8d8554d3f3c1dcbcf661dc5027892b02d262dfdcb58372e257191b
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
PE file has nameless sections
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
One or more processes crash
PE file contains an invalid checksum
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file overlay found

Classification

Process Tree

  • System is w10x64
  • ZM80M76Nwv.exe (PID: 796 cmdline: "C:\Users\user\Desktop\ZM80M76Nwv.exe" MD5: 3C93F57536F15046B52F4340EDBA42DA)
    • WerFault.exe (PID: 6392 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 208 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: ZM80M76Nwv.exeVirustotal: Detection: 35%Perma Link
Machine Learning detection for sampleShow sources
Source: ZM80M76Nwv.exeJoe Sandbox ML: detected
Source: ZM80M76Nwv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.685564115.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.685564115.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.685564115.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.685564115.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.685564115.00000000053E1000.00000004.00000001.sdmp
Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
Source: ZM80M76Nwv.exe, 00000000.00000002.700215242.0000000000E4A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
PE file has nameless sectionsShow sources
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: ZM80M76Nwv.exeStatic PE information: No import functions for PE file found
Source: C:\Users\user\Desktop\ZM80M76Nwv.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 208
Source: ZM80M76Nwv.exeStatic PE information: Data appended to the last section found
Source: ZM80M76Nwv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: ZM80M76Nwv.exeStatic PE information: Section: ZLIB complexity 1.00051229508
Source: ZM80M76Nwv.exeStatic PE information: Section: ZLIB complexity 1.0107421875
Source: ZM80M76Nwv.exeVirustotal: Detection: 35%
Source: C:\Users\user\Desktop\ZM80M76Nwv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ZM80M76Nwv.exe "C:\Users\user\Desktop\ZM80M76Nwv.exe"
Source: C:\Users\user\Desktop\ZM80M76Nwv.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 208
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess796
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC02.tmpJump to behavior
Source: classification engineClassification label: mal56.winEXE@2/6@0/1
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: ZM80M76Nwv.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x3dc000
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.685564115.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.685564115.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.685564115.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.685564115.00000000053E1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.685564115.00000000053E1000.00000004.00000001.sdmp
Source: ZM80M76Nwv.exeStatic PE information: real checksum: 0x42a356 should be: 0x39e83
Source: C:\Windows\SysWOW64\WerFault.exeCode function: 3_2_02DDEB6E pushad ; ret 3_2_02DDEB70
Source: C:\Windows\SysWOW64\WerFault.exeCode function: 3_2_02DD7E33 pushad ; ret 3_2_02DD7E75
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: section name:
Source: ZM80M76Nwv.exeStatic PE information: section name: .AqWcUFG
Source: ZM80M76Nwv.exeStatic PE information: section name: .adata
Source: initial sampleStatic PE information: section name: entropy: 7.99401104881
Source: initial sampleStatic PE information: section name: entropy: 7.78065343968
Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Amcache.hve.3.drBinary or memory string: VMware
Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.drBinary or memory string: VMware7,1
Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\ZM80M76Nwv.exeProcess queried: DebugPortJump to behavior
Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing2LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.