Loading ...

Play interactive tourEdit tour

Windows Analysis Report Image001.exe

Overview

General Information

Sample Name:Image001.exe
Analysis ID:532886
MD5:ff1b46d412d2890828fdeee1d983dea1
SHA1:2c2c60bc32b11f866aed66f29ce30c362b352567
SHA256:3f9f72ec6bd759569e783528a4a2e0426472dfae328af93afbf9da273e92adf5
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Detected unpacking (creates a PE file in dynamic memory)
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Image001.exe (PID: 3524 cmdline: "C:\Users\user\Desktop\Image001.exe" MD5: FF1B46D412D2890828FDEEE1D983DEA1)
    • Image001.exe (PID: 6004 cmdline: "C:\Users\user\Desktop\Image001.exe" MD5: FF1B46D412D2890828FDEEE1D983DEA1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "castilloo@cgyasc.com", "Password": "Castle1", "Host": "mail.cgyasc.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.929244292.0000000000400000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.929244292.0000000000400000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000002.931306389.00000000047B0000.00000004.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.931306389.00000000047B0000.00000004.00020000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000002.00000002.929487870.000000000062E000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 19 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Image001.exe.647018.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.Image001.exe.647018.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.2.Image001.exe.47b0000.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.Image001.exe.47b0000.4.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    2.2.Image001.exe.47b0000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 55 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.0.Image001.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "castilloo@cgyasc.com", "Password": "Castle1", "Host": "mail.cgyasc.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Image001.exeVirustotal: Detection: 32%Perma Link
                      Source: 2.1.Image001.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.Image001.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.Image001.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.Image001.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.Image001.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.Image001.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.Image001.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.Image001.exe.4810000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.Image001.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.Image001.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\Image001.exeUnpacked PE file: 2.2.Image001.exe.4810000.5.unpack
                      Source: Image001.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: Binary string: wntdll.pdbUGP source: Image001.exe, 00000001.00000003.663752683.0000000002B40000.00000004.00000001.sdmp, Image001.exe, 00000001.00000003.668797922.00000000029B0000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: Image001.exe, 00000001.00000003.663752683.0000000002B40000.00000004.00000001.sdmp, Image001.exe, 00000001.00000003.668797922.00000000029B0000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00405250
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,1_2_00405C22
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49819 -> 192.185.25.212:587
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: Image001.exe, 00000002.00000002.930135500.00000000022D1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Image001.exe, 00000002.00000002.930497468.000000000260A000.00000004.00000001.sdmpString found in binary or memory: http://9zUeuRC8ZtAGmU0.com
                      Source: Image001.exe, 00000002.00000002.930135500.00000000022D1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Image001.exe, 00000002.00000002.930135500.00000000022D1000.00000004.00000001.sdmpString found in binary or memory: http://YcxkAh.com
                      Source: Image001.exe, 00000002.00000002.930534134.000000000262C000.00000004.00000001.sdmpString found in binary or memory: http://cgyasc.com
                      Source: Image001.exe, 00000002.00000002.930534134.000000000262C000.00000004.00000001.sdmpString found in binary or memory: http://mail.cgyasc.com
                      Source: Image001.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: Image001.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: Image001.exe, Image001.exe, 00000002.00000002.929244292.0000000000400000.00000040.00000001.sdmp, Image001.exe, 00000002.00000002.931306389.00000000047B0000.00000004.00020000.sdmp, Image001.exe, 00000002.00000000.671627196.0000000000414000.00000040.00000001.sdmp, Image001.exe, 00000002.00000002.931937369.0000000004812000.00000040.00000001.sdmp, Image001.exe, 00000002.00000002.930749556.00000000032D1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Image001.exe, 00000002.00000002.930135500.00000000022D1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.cgyasc.com
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404E07

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Image001.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Image001.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.2.Image001.exe.4810000.5.unpack, u003cPrivateImplementationDetailsu003eu007b2E0BCB56u002d1BBBu002d423Cu002d8F51u002d94A15D000FB6u007d/C7FAB55Bu002d2018u002d4C8Au002dB9C4u002dBB5765976361.csLarge array initialization: .cctor: array initializer size 11982
                      Source: Image001.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_004030E3
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_004060431_2_00406043
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_004046181_2_00404618
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_0040681A1_2_0040681A
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_1001645B1_2_1001645B
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_1001F0741_2_1001F074
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_1001694F1_2_1001694F
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_10016D671_2_10016D67
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_1001719C1_2_1001719C
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_100175D11_2_100175D1
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_1001F5E61_2_1001F5E6
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_100216A31_2_100216A3
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_100203001_2_10020300
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_1001C74E1_2_1001C74E
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_1001FB581_2_1001FB58
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_0040A2A52_2_0040A2A5
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_008110482_2_00811048
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_0081A3382_2_0081A338
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_008114802_2_00811480
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_00816A782_2_00816A78
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_0081E3682_2_0081E368
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_008134B82_2_008134B8
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_0081A5A02_2_0081A5A0
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_0088E0122_2_0088E012
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_008800682_2_00880068
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_0088AD982_2_0088AD98
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_00885D402_2_00885D40
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_0088C6502_2_0088C650
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_00886E382_2_00886E38
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_048047A02_2_048047A0
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_048047332_2_04804733
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_0480D6612_2_0480D661
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_0480F8F12_2_0480F8F1
                      Source: Image001.exe, 00000001.00000003.670760115.0000000002C5F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Image001.exe
                      Source: Image001.exe, 00000001.00000003.667724154.0000000002AC6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Image001.exe
                      Source: Image001.exe, 00000001.00000002.674414732.0000000002960000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe
                      Source: Image001.exeBinary or memory string: OriginalFilename vs Image001.exe
                      Source: Image001.exe, 00000002.00000002.929244292.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe
                      Source: Image001.exe, 00000002.00000002.931306389.00000000047B0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe
                      Source: Image001.exe, 00000002.00000000.671627196.0000000000414000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe
                      Source: Image001.exe, 00000002.00000002.931937369.0000000004812000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe
                      Source: Image001.exe, 00000002.00000002.929187642.0000000000199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Image001.exe
                      Source: Image001.exe, 00000002.00000002.930749556.00000000032D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKPtHjBhBpIsMIgDrnnRFYHUEZfvUGBdFnZMeBP.exe4 vs Image001.exe
                      Source: Image001.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Image001.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Image001.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Image001.exeVirustotal: Detection: 32%
                      Source: C:\Users\user\Desktop\Image001.exeFile read: C:\Users\user\Desktop\Image001.exeJump to behavior
                      Source: Image001.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Image001.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Image001.exe "C:\Users\user\Desktop\Image001.exe"
                      Source: C:\Users\user\Desktop\Image001.exeProcess created: C:\Users\user\Desktop\Image001.exe "C:\Users\user\Desktop\Image001.exe"
                      Source: C:\Users\user\Desktop\Image001.exeProcess created: C:\Users\user\Desktop\Image001.exe "C:\Users\user\Desktop\Image001.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Image001.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Image001.exeFile created: C:\Users\user\AppData\Local\Temp\nsdD9AD.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@3/3@2/1
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,1_2_00402012
                      Source: C:\Users\user\Desktop\Image001.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_0040411B
                      Source: C:\Users\user\Desktop\Image001.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,2_2_00401489
                      Source: 2.2.Image001.exe.4810000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.Image001.exe.4810000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\Image001.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Binary string: wntdll.pdbUGP source: Image001.exe, 00000001.00000003.663752683.0000000002B40000.00000004.00000001.sdmp, Image001.exe, 00000001.00000003.668797922.00000000029B0000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: Image001.exe, 00000001.00000003.663752683.0000000002B40000.00000004.00000001.sdmp, Image001.exe, 00000001.00000003.668797922.00000000029B0000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\Image001.exeUnpacked PE file: 2.2.Image001.exe.4810000.5.unpack
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_1001B745 push ecx; ret 1_2_1001B758
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_00401F16 push ecx; ret 2_2_00401F29
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405C49
                      Source: C:\Users\user\Desktop\Image001.exeFile created: C:\Users\user\AppData\Local\Temp\nsnD9EC.tmp\aryw.dllJump to dropped file
                      Source: C:\Users\user\Desktop\Image001.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Image001.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Image001.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Image001.exe TID: 5192Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exe TID: 5160Thread sleep count: 1698 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Image001.exe TID: 5160Thread sleep count: 8149 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeWindow / User API: threadDelayed 1698Jump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeWindow / User API: threadDelayed 8149Jump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Image001.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Image001.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00405250
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,1_2_00405C22
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
                      Source: C:\Users\user\Desktop\Image001.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Image001.exe, 00000002.00000002.934274214.0000000005950000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_1001A14A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_1001A14A
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_1001A14A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_1001A14A
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405C49
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_10007CE0 SetEnhMetaFileBits,SetWinMetaFileBits,GetDC,CreateDIBitmap,ReleaseDC,GetProcessHeap,HeapFree,1_2_10007CE0
                      Source: C:\Users\user\Desktop\Image001.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_0019EA16 mov eax, dword ptr fs:[00000030h]1_2_0019EA16
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_0019E802 mov eax, dword ptr fs:[00000030h]1_2_0019E802
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_0019EAC7 mov eax, dword ptr fs:[00000030h]1_2_0019EAC7
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_0019EB06 mov eax, dword ptr fs:[00000030h]1_2_0019EB06
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_0019EB44 mov eax, dword ptr fs:[00000030h]1_2_0019EB44
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]2_2_004035F1
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_008191C0 LdrInitializeThunk,2_2_008191C0
                      Source: C:\Users\user\Desktop\Image001.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 1_2_1001BF46 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_1001BF46
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_00401E1D SetUnhandledExceptionFilter,2_2_00401E1D
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0040446F
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00401C88
                      Source: C:\Users\user\Desktop\Image001.exeCode function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00401F30

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\Image001.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Image001.exeMemory written: C:\Users\user\Desktop\Image001.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\Image001.exeProcess created: C:\Users\user\Desktop\Image001.exe "C:\Users\user\Desktop\Image001.exe" Jump to behavior
                      Source: Image001.exe, 00000002.00000002.929854962.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: Image001.exe, 00000002.00000002.929854962.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Image001.exe, 00000002.00000002.929854962.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: Image001.exe, 00000002.00000002.929854962.0000000000CB0000.00000002.00020000.sdmpBinary or memory string: Progmanlock