Loading ...

Play interactive tourEdit tour

Windows Analysis Report g3r7OOQiri.exe

Overview

General Information

Sample Name:g3r7OOQiri.exe
Analysis ID:528755
MD5:523928f18d5110ae858049b3e8e7ffe1
SHA1:741c67937cc564d2d0bb989ab09997ffd6be1296
SHA256:aef6752333e99c747f01eb9345f03ccbc6a162054dfb705afd7c3040e8219e45
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
PE file has nameless sections
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
One or more processes crash
PE file contains an invalid checksum
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file overlay found

Classification

Process Tree

  • System is w10x64
  • g3r7OOQiri.exe (PID: 4440 cmdline: "C:\Users\user\Desktop\g3r7OOQiri.exe" MD5: 523928F18D5110AE858049B3E8E7FFE1)
    • WerFault.exe (PID: 6192 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 224 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: g3r7OOQiri.exeVirustotal: Detection: 15%Perma Link
Machine Learning detection for sampleShow sources
Source: g3r7OOQiri.exeJoe Sandbox ML: detected
Source: g3r7OOQiri.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.271148063.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269509283.0000000003547000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269586332.0000000003547000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269453181.000000000355F000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.271148063.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269524012.000000000354D000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269596927.000000000354D000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.269524012.000000000354D000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269596927.000000000354D000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.271148063.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269580887.0000000003541000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269484163.0000000003541000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.269509283.0000000003547000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269586332.0000000003547000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.271148063.00000000054A1000.00000004.00000001.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000003.00000003.269391178.000000000355D000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.271148063.00000000054A1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.269580887.0000000003541000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269484163.0000000003541000.00000004.00000001.sdmp
Source: WerFault.exe, 00000003.00000003.283148918.000000000353A000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000002.285011314.000000000353A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net

System Summary:

barindex
PE file has nameless sectionsShow sources
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: g3r7OOQiri.exeStatic PE information: No import functions for PE file found
Source: C:\Users\user\Desktop\g3r7OOQiri.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 224
Source: g3r7OOQiri.exeStatic PE information: Number of sections : 14 > 10
Source: g3r7OOQiri.exeStatic PE information: Data appended to the last section found
Source: g3r7OOQiri.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: g3r7OOQiri.exeStatic PE information: Section: ZLIB complexity 1.00042941046
Source: g3r7OOQiri.exeStatic PE information: Section: ZLIB complexity 1.004296875
Source: g3r7OOQiri.exeStatic PE information: Section: ZLIB complexity 1.00097595599
Source: g3r7OOQiri.exeVirustotal: Detection: 15%
Source: C:\Users\user\Desktop\g3r7OOQiri.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\g3r7OOQiri.exe "C:\Users\user\Desktop\g3r7OOQiri.exe"
Source: C:\Users\user\Desktop\g3r7OOQiri.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 224
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4440
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER891B.tmpJump to behavior
Source: classification engineClassification label: mal56.winEXE@2/6@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: g3r7OOQiri.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.271148063.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269509283.0000000003547000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269586332.0000000003547000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269453181.000000000355F000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.271148063.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269524012.000000000354D000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269596927.000000000354D000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.269524012.000000000354D000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269596927.000000000354D000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.271148063.00000000054A1000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269580887.0000000003541000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269484163.0000000003541000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.269509283.0000000003547000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269586332.0000000003547000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.271148063.00000000054A1000.00000004.00000001.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000003.00000003.269391178.000000000355D000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000003.00000003.271148063.00000000054A1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.269580887.0000000003541000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000003.269484163.0000000003541000.00000004.00000001.sdmp
Source: g3r7OOQiri.exeStatic PE information: real checksum: 0x14efe5 should be: 0x1c55f
Source: C:\Windows\SysWOW64\WerFault.exeCode function: 3_2_02F2E82B pushad ; ret 3_2_02F2E844
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name:
Source: g3r7OOQiri.exeStatic PE information: section name: .ShqA6WN
Source: g3r7OOQiri.exeStatic PE information: section name: .adata
Source: initial sampleStatic PE information: section name: entropy: 7.9974253827
Source: initial sampleStatic PE information: section name: entropy: 7.92908677458
Source: initial sampleStatic PE information: section name: entropy: 7.98297122027
Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Amcache.hve.3.drBinary or memory string: VMware
Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
Source: WerFault.exe, 00000003.00000003.283185366.000000000356D000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000002.285040839.000000000356D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.drBinary or memory string: VMware7,1
Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000003.00000003.283240472.000000000351E000.00000004.00000001.sdmp, WerFault.exe, 00000003.00000002.284995893.000000000352A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.me
Source: WerFault.exe, 00000003.00000003.281244930.000000000356D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\g3r7OOQiri.exeProcess queried: DebugPortJump to behavior
Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing2LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.