Loading ...

Play interactive tourEdit tour

Windows Analysis Report update.exe

Overview

General Information

Sample Name:update.exe
Analysis ID:548777
MD5:9608c8b6c8d80fdc67b99edd3c53d3d2
SHA1:37b11d3d7b7a1d18daafd6c63b33526860aaefe6
SHA256:8c1a72991fb04dc3a8cf89605fb85150ef0e742472a0c58b8fa942a1f04877b0
Tags:exeNightSkyRansomware
Infos:

Most interesting Screenshot:

Detection

NightSky
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected NightSky Ransomware
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Writes many files with high entropy
Tries to detect virtualization through RDTSC time measurements
Creates HTA files
Machine Learning detection for sample
Potential thread-based time evasion detected
Modifies existing user documents (likely ransomware behavior)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Entry point lies outside standard sections
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • update.exe (PID: 6816 cmdline: "C:\Users\user\Desktop\update.exe" MD5: 9608C8B6C8D80FDC67B99EDD3C53D3D2)
    • conhost.exe (PID: 6892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: update.exe PID: 6816JoeSecurity_NightSkyYara detected NightSky RansomwareJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: update.exeVirustotal: Detection: 16%Perma Link
    Source: update.exeReversingLabs: Detection: 25%
    Machine Learning detection for sampleShow sources
    Source: update.exeJoe Sandbox ML: detected
    Source: update.exe, 00000001.00000002.590891257.00007FF6F5F01000.00000004.00020000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
    Source: update.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Jump to behavior
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Application Data\Jump to behavior
    Source: NightSkyReadMe.hta130.1.drString found in binary or memory: <li>How to access dark web sites:<a href="https://www.youtube.com/watch?v=NpXEQHDOA5o">https://www.youtube.com/watch?v=NpXEQHDOA5o</a> equals www.youtube.com (Youtube)
    Source: update.exe, 00000001.00000002.590857006.00007FF6F5EE9000.00000002.00020000.sdmp, NightSkyReadMe.hta79.1.dr, NightSkyReadMe.hta179.1.dr, NightSkyReadMe.hta162.1.dr, NightSkyReadMe.hta37.1.dr, NightSkyReadMe.hta113.1.dr, NightSkyReadMe.hta111.1.dr, NightSkyReadMe.hta221.1.dr, NightSkyReadMe.hta202.1.dr, NightSkyReadMe.hta59.1.dr, NightSkyReadMe.hta126.1.dr, NightSkyReadMe.hta173.1.dr, NightSkyReadMe.hta71.1.dr, NightSkyReadMe.hta69.1.dr, NightSkyReadMe.hta124.1.dr, NightSkyReadMe.hta19.1.dr, NightSkyReadMe.hta39.1.dr, NightSkyReadMe.hta56.1.dr, NightSkyReadMe.hta149.1.dr, NightSkyReadMe.hta121.1.dr, NightSkyReadMe.hta55.1.dr, NightSkyReadMe.hta97.1.dr, NightSkyReadMe.hta77.1.dr, NightSkyReadMe.hta211.1.dr, NightSkyReadMe.hta134.1.dr, NightSkyReadMe.hta87.1.dr, NightSkyReadMe.hta3.1.dr, NightSkyReadMe.hta68.1.dr, NightSkyReadMe.hta115.1.dr, NightSkyReadMe.hta222.1.dr, NightSkyReadMe.hta133.1.dr, NightSkyReadMe.hta218.1.dr, NightSkyReadMe.hta34.1.dr, NightSkyReadMe.hta8.1.dr, NightSkyReadMe.hta10.1.dr, NightSkyReadMe.hta159.1.dr, NightSkyReadMe.hta102.1.dr, NightSkyReadMe.hta20.1.dr, NightSkyReadMe.hta125.1.dr, NightSkyReadMe.hta46.1.dr, NightSkyReadMe.hta176.1.dr, NightSkyReadMe.hta198.1.dr, NightSkyReadMe.hta38.1.dr, NightSkyReadMe.hta147.1.dr, NightSkyReadMe.hta177.1.dr, NightSkyReadMe.hta89.1.dr, NightSkyReadMe.hta144.1.dr, NightSkyReadMe.hta219.1.dr, NightSkyReadMe.hta67.1.dr, NightSkyReadMe.hta40.1.dr, NightSkyReadMe.hta214.1.dr, NightSkyReadMe.hta43.1.dr, NightSkyReadMe.hta136.1.dr, NightSkyReadMe.hta150.1.dr, NightSkyReadMe.hta109.1.dr, NightSkyReadMe.hta21.1.dr, NightSkyReadMe.hta174.1.dr, NightSkyReadMe.hta205.1.dr, NightSkyReadMe.hta15.1.dr, NightSkyReadMe.hta47.1.dr, NightSkyReadMe.hta45.1.dr, NightSkyReadMe.hta101.1.dr, NightSkyReadMe.hta210.1.dr, NightSkyReadMe.hta74.1.dr, NightSkyReadMe.hta204.1.dr, NightSkyReadMe.hta99.1.dr, NightSkyReadMe.hta61.1.dr, NightSkyReadMe.hta26.1.dr, NightSkyReadMe.hta22.1.dr, NightSkyReadMe.hta224.1.dr, NightSkyReadMe.hta80.1.dr, NightSkyReadMe.hta41.1.dr, NightSkyReadMe.hta141.1.dr, NightSkyReadMe.hta86.1.dr, NightSkyReadMe.hta70.1.dr, NightSkyReadMe.hta53.1.dr, NightSkyReadMe.hta82.1.dr, NightSkyReadMe.hta172.1.dr, NightSkyReadMe.hta225.1.dr, NightSkyReadMe.hta171.1.dr, NightSkyReadMe.hta220.1.dr, NightSkyReadMe.hta209.1.dr, NightSkyReadMe.hta66.1.dr, NightSkyReadMe.hta90.1.dr, NightSkyReadMe.hta148.1.dr, NightSkyReadMe.hta83.1.dr, NightSkyReadMe.hta95.1.dr, NightSkyReadMe.hta194.1.dr, NightSkyReadMe.hta217.1.dr, NightSkyReadMe.hta123.1.dr, NightSkyReadMe.hta36.1.dr, NightSkyReadMe.hta106.1.dr, NightSkyReadMe.hta206.1.dr, NightSkyReadMe.hta114.1.dr, NightSkyReadMe.hta51.1.dr, NightSkyReadMe.hta161.1.dr, NightSkyReadMe.hta62.1.dr, NightSkyReadMe.hta18.1.dr, NightSkyReadMe.hta84.1.dr, NightSkyReadMe.hta128.1.dr, NightSkyReadMe.hta188.1.dr, NightSkyReadMe.hta31.1.dr, NightSkyReadMe.hta138.1.dr, NightSkyReadMe.hta91.1.dr, NightSkyReadMe.hta98.1.dr, NightSkyReadMe.hta164.1.dr, NightSkyReadMe.hta13.1.dr, NightSkyReadMe.hta44.1.dr, NightSkyReadMe.hta145.1.dr, NightSkyReadMe.hta1.1.dr, NightSkyReadMe.hta29.1.dr, NightSkyReadMe.hta200.1.dr, NightSkyReadMe.hta48.1.dr, NightSkyReadMe.hta152.1.dr, NightSkyReadMe.hta78.1.dr, NightSkyReadMe.hta7.1.dr, NightSkyReadMe.hta4.1.dr, NightSkyReadMe.hta107.1.dr, NightSkyReadMe.hta157.1.dr, NightSkyReadMe.hta191.1.dr, NightSkyReadMe.hta14.1.dr, NightSkyReadMe.hta94.1.dr, NightSkyReadMe.hta146.1.dr, NightSkyReadMe.hta12.1.dr, NightSkyReadMe.hta226.1.dr, NightSkyReadMe.hta187.1.dr, NightSkyReadMe.hta27.1.dr, NightSkyReadMe.hta49.1.dr, NightSkyReadMe.hta54.1.dr, NightSkyReadMe.hta108.1.dr, NightSkyReadMe.hta201.1.dr, NightSkyReadMe.hta35.1.dr, NightSkyReadMe.hta185.1.dr, NightSkyReadMe.hta24.1.dr, NightSkyReadMe.hta132.1.dr, NightSkyReadMe.hta195.1.dr, NightSkyReadMe.hta73.1.dr, NightSkyReadMe.hta212.1.dr, NightSkyReadMe.hta100.1.dr, NightSkyReadMe.hta60.1.dr, NightSkyReadMe.hta117.1.dr, NightSkyReadMe.hta118.1.dr, NightSkyReadMe.hta180.1.dr, NightSkyReadMe.hta129.1.dr, NightSkyReadMe.hta151.1.dr, NightSkyReadMe.hta105.1.dr, NightSkyReadMe.hta166.1.dr, NightSkyReadMe.hta76.1.dr, NightSkyReadMe.hta168.1.dr, NightSkyReadMe.hta2.1.dr, NightSkyReadMe.hta30.1.dr, NightSkyReadMe.hta170.1.dr, NightSkyReadMe.hta186.1.dr, NightSkyReadMe.hta28.1.dr, NightSkyReadMe.hta169.1.dr, NightSkyReadMe.hta120.1.dr, NightSkyReadMe.hta0.1.dr, NightSkyReadMe.hta190.1.dr, NightSkyReadMe.hta6.1.dr, NightSkyReadMe.hta181.1.dr, NightSkyReadMe.hta183.1.dr, NightSkyReadMe.hta116.1.dr, NightSkyReadMe.hta92.1.dr, NightSkyReadMe.hta182.1.dr, NightSkyReadMe.hta64.1.dr, NightSkyReadMe.hta131.1.dr, NightSkyReadMe.hta88.1.dr, NightSkyReadMe.hta23.1.dr, NightSkyReadMe.hta119.1.dr, NightSkyReadMe.hta165.1.dr, NightSkyReadMe.hta156.1.dr, NightSkyReadMe.hta143.1.dr, NightSkyReadMe.hta16.1.dr, NightSkyReadMe.hta193.1.dr, NightSkyReadMe.hta167.1.dr, NightSkyReadMe.hta122.1.dr, NightSkyReadMe.hta32.1.dr, NightSkyReadMe.hta42.1.dr, NightSkyReadMe.hta25.1.dr, NightSkyReadMe.hta63.1.dr, NightSkyReadMe.hta57.1.dr, NightSkyReadMe.hta153.1.dr, NightSkyReadMe.hta127.1.dr, NightSkyReadMe.hta81.1.dr, NightSkyReadMe.hta192.1.dr, NightSkyReadMe.hta96.1.dr, NightSkyReadMe.hta112.1.dr, NightSkyReadMe.hta104.1.dr, NightSkyReadMe.hta203.1.dr, NightSkyReadMe.hta137.1.dr, NightSkyReadMe.hta9.1.dr, NightSkyReadMe.hta197.1.dr, NightSkyReadMe.hta.1.dr, NightSkyReadMe.hta199.1.dr, NightSkyReadMe.hta178.1.dr, NightSkyReadMe.hta72.1.dr, NightSkyReadMe.hta215.1.dr, NightSkyReadMe.hta142.1.dr, NightSkyReadMe.hta223.1.dr, NightSkyReadMe.hta184.1.dr, NightSkyReadMe.hta213.1.dr, NightSkyReadMe.hta5.1.dr, NightSkyReadMe.hta158.1.dr, NightSkyReadMe.hta208.1.dr, NightSkyReadMe.hta11.1.dr, NightSkyReadMe.hta103.1.dr, NightSkyReadMe.hta216.1.dr, NightSkyReadMe.hta75.1.dr, NightSkyReadMe.hta189.1.dr, NightSkyReadMe.hta130.1.drString found in binary or memory: https://contact.nightsky.cyou
    Source: NightSkyReadMe.hta130.1.drString found in binary or memory: https://www.youtube.com/watch?v=NpXEQHDOA5o
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\NightSkyReadMe.htaJump to behavior

    Spam, unwanted Advertisements and Ransom Demands:

    barindex
    Yara detected NightSky RansomwareShow sources
    Source: Yara matchFile source: Process Memory Space: update.exe PID: 6816, type: MEMORYSTR
    Writes many files with high entropyShow sources
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx.nightsky entropy: 7.99758303984Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL.nightsky entropy: 7.99924573464Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL.nightsky entropy: 7.99944873768Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.nightsky entropy: 7.99942317854Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl.nightsky entropy: 7.99939603869Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL.nightsky entropy: 7.99930025017Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.nightsky entropy: 7.99923722209Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL.nightsky entropy: 7.99932600821Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.nightsky entropy: 7.9995534913Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL.nightsky entropy: 7.99922672816Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL.nightsky entropy: 7.99923838276Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL.nightsky entropy: 7.99925007407Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL.nightsky entropy: 7.99943550396Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\Default\NTUSER.DAT.LOG1.nightsky entropy: 7.99706806402Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000002.regtrans-ms.nightsky entropy: 7.99966605746Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TM.blf.nightsky entropy: 7.99738566194Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\Default\NTUSER.DAT{8ebe95f7-3dcb-11e8-a9d9-7cfe90913f50}.TMContainer00000000000000000001.regtrans-ms.nightsky entropy: 7.99962398407Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\MMC\services.nightsky entropy: 7.99825527986Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl.nightsky entropy: 7.99449191571Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm.nightsky entropy: 7.99142066749Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.nightsky entropy: 7.99915794549Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.nightsky entropy: 7.99889689068Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.nightsky entropy: 7.99732764455Jump to dropped file
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei.nightsky entropy: 7.99373363134Jump to dropped file
    Modifies existing user documents (likely ransomware behavior)Show sources
    Source: C:\Users\user\Desktop\update.exeFile moved: C:\Users\user\Desktop\PWCCAWLGRE\PIVFAGEAAV.xlsxJump to behavior
    Source: C:\Users\user\Desktop\update.exeFile moved: C:\Users\user\Desktop\PWCCAWLGRE\NVWZAPQSQL.jpgJump to behavior
    Source: C:\Users\user\Desktop\update.exeFile moved: C:\Users\user\Desktop\QCFWYSKMHA\PWCCAWLGRE.xlsxJump to behavior
    Source: C:\Users\user\Desktop\update.exeFile moved: C:\Users\user\Desktop\PWCCAWLGRE\PALRGUCVEH.mp3Jump to behavior
    Source: C:\Users\user\Desktop\update.exeFile moved: C:\Users\user\Desktop\BNAGMGSPLO.pngJump to behavior

    System Summary:

    barindex
    Creates HTA filesShow sources
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\NightSkyReadMe.htaJump to behavior
    Source: C:\Users\user\Desktop\update.exeProcess Stats: CPU usage > 98%
    Source: update.exeVirustotal: Detection: 16%
    Source: update.exeReversingLabs: Detection: 25%
    Source: C:\Users\user\Desktop\update.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\update.exe "C:\Users\user\Desktop\update.exe"
    Source: C:\Users\user\Desktop\update.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InProcServer32Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_01
    Source: C:\Users\user\Desktop\update.exeMutant created: \Sessions\1\BaseNamedObjects\tset123155465463213
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\NightSkyReadMe.htaJump to behavior
    Source: classification engineClassification label: mal84.rans.evad.winEXE@2/395@0/0
    Source: C:\Users\user\Desktop\update.exeFile read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.iniJump to behavior
    Source: update.exeStatic file information: File size 5945856 > 1048576
    Source: update.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: update.exeStatic PE information: Raw size of .2fU2 is bigger than: 0x100000 < 0x5aa600
    Source: update.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: update.exeStatic PE information: section name: .2fU0
    Source: update.exeStatic PE information: section name: .2fU1
    Source: update.exeStatic PE information: section name: .2fU2
    Source: initial sampleStatic PE information: section where entry point is pointing to: .2fU2
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\NightSkyReadMe.htaJump to behavior
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Documents and Settings\Default\Start Menu\NightSkyReadMe.htaJump to behavior
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\NightSkyReadMe.htaJump to behavior
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessories\NightSkyReadMe.htaJump to behavior
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Maintenance\NightSkyReadMe.htaJump to behavior
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\System Tools\NightSkyReadMe.htaJump to behavior
    Source: C:\Users\user\Desktop\update.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Windows PowerShell\NightSkyReadMe.htaJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
    Source: C:\Users\user\Desktop\update.exeMemory written: PID: 6816 base: 7FFC8DE30008 value: E9 7B A9 EA FF Jump to behavior
    Source: C:\Users\user\Desktop\update.exeMemory written: PID: 6816 base: 7FFC8DCDA980 value: E9 90 56 15 00 Jump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\update.exeRDTSC instruction interceptor: First address: 00007FF6F613C74C second address: 00007FF6F613C760 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 movsx ebp, dx 0x00000006 inc ecx 0x00000007 pop ecx 0x00000008 dec ecx 0x00000009 movzx ebx, sp 0x0000000c inc ecx 0x0000000d setnbe bh 0x00000010 inc ecx 0x00000011 pop eax 0x00000012 dec eax 0x00000013 cdq 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\update.exeRDTSC instruction interceptor: First address: 00007FF6F613D987 second address: 00007FF6F613D98B instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edx 0x00000004 rdtsc
    Potential thread-based time evasion detectedShow sources
    Source: Initial fileSignature Results: Thread-based counter
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\update.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Jump to behavior
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Application Data\Application Data\Application Data\Application Data\Jump to behavior
    Source: C:\Users\user\Desktop\update.exeFile opened: C:\Documents and Settings\Default\Local Settings\Application Data\Jump to behavior
    Source: update.exe, 00000001.00000002.589169775.0000020197490000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: update.exe, 00000001.00000002.589169775.0000020197490000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: update.exe, 00000001.00000002.589169775.0000020197490000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: update.exe, 00000001.00000002.589169775.0000020197490000.00000002.00020000.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\update.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationRegistry Run Keys / Startup Folder1Process Injection2Process Injection2Credential API Hooking1Security Software Discovery2Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Mshta1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery22Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.