Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3NeufRwoxF

Overview

General Information

Sample Name:3NeufRwoxF (renamed file extension from none to exe)
Analysis ID:553010
MD5:891fafcb65f039cefac6701bfb8a9253
SHA1:e9ca83ec5e9a9264d251a3379d65dd9dfe92a16a
SHA256:3c6d3aa382ddba97862136aa06c449150810696ef7cb05e7ec0f4ed6895683c4
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • 3NeufRwoxF.exe (PID: 4484 cmdline: "C:\Users\user\Desktop\3NeufRwoxF.exe" MD5: 891FAFCB65F039CEFAC6701BFB8A9253)
    • 3NeufRwoxF.exe (PID: 4828 cmdline: "C:\Users\user\Desktop\3NeufRwoxF.exe" MD5: 891FAFCB65F039CEFAC6701BFB8A9253)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info.superseal@yandex.com", "Password": "Golddigger", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.0.3NeufRwoxF.exe.415058.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.0.3NeufRwoxF.exe.415058.7.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.2.3NeufRwoxF.exe.23c0000.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.3NeufRwoxF.exe.23c0000.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    2.2.3NeufRwoxF.exe.23c0000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 51 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.0.3NeufRwoxF.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info.superseal@yandex.com", "Password": "Golddigger", "Host": "smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 3NeufRwoxF.exeVirustotal: Detection: 44%Perma Link
                      Source: 3NeufRwoxF.exeReversingLabs: Detection: 51%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dllReversingLabs: Detection: 42%
                      Machine Learning detection for sampleShow sources
                      Source: 3NeufRwoxF.exeJoe Sandbox ML: detected
                      Source: 2.0.3NeufRwoxF.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.3NeufRwoxF.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.3NeufRwoxF.exe.49d0000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.3NeufRwoxF.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.3NeufRwoxF.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.1.3NeufRwoxF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.3NeufRwoxF.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.3NeufRwoxF.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.3NeufRwoxF.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.3NeufRwoxF.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 3NeufRwoxF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: Binary string: wntdll.pdbUGP source: 3NeufRwoxF.exe, 00000000.00000003.649117191.0000000003200000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000000.00000003.649806691.0000000003070000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: 3NeufRwoxF.exe, 00000000.00000003.649117191.0000000003200000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000000.00000003.649806691.0000000003070000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,0_2_00405D7C
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004053AA
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_1_00404A29 FindFirstFileExW,2_1_00404A29
                      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                      Source: global trafficTCP traffic: 192.168.2.4:49760 -> 77.88.21.158:587
                      Source: global trafficTCP traffic: 192.168.2.4:49760 -> 77.88.21.158:587
                      Source: 3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: 3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: 3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: http://MXCHOJ.com
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmpString found in binary or memory: http://crls.ya
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: 3NeufRwoxF.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: 3NeufRwoxF.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmpString found in binary or memory: http://yandex.oc
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: 3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: 3NeufRwoxF.exe, 3NeufRwoxF.exe, 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734128431.0000000000859000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734722737.00000000038D1000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734344539.00000000023C0000.00000004.00020000.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734912309.00000000049D2000.00000040.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: 3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.yandex.com
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404F61

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.2.3NeufRwoxF.exe.49d0000.4.unpack, u003cPrivateImplementationDetailsu003eu007b5B80CC66u002dD458u002d4855u002d8E40u002dDE61FFEE2428u007d/u003064B2095u002d1A80u002d43DBu002dB33Eu002dDC28338E94F6.csLarge array initialization: .cctor: array initializer size 12036
                      Source: 3NeufRwoxF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403225
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_0040604C0_2_0040604C
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_004047720_2_00404772
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_0040A2A52_2_0040A2A5
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_1_0040A2A52_1_0040A2A5
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: String function: 00401ED0 appears 46 times
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: String function: 0040569E appears 36 times
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_0078B136 NtQuerySystemInformation,2_2_0078B136
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_0078B105 NtQuerySystemInformation,2_2_0078B105
                      Source: 3NeufRwoxF.exe, 00000000.00000003.651181443.000000000331F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exe, 00000000.00000003.649069074.0000000003186000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exe, 00000000.00000002.656663064.0000000003020000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exeBinary or memory string: OriginalFilename vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exe, 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exe, 00000002.00000002.734128431.0000000000859000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exe, 00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exe, 00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exe, 00000002.00000002.734722737.00000000038D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exe, 00000002.00000002.734344539.00000000023C0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exe, 00000002.00000002.734912309.00000000049D2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exe, 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
                      Source: 3NeufRwoxF.exeVirustotal: Detection: 44%
                      Source: 3NeufRwoxF.exeReversingLabs: Detection: 51%
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeFile read: C:\Users\user\Desktop\3NeufRwoxF.exeJump to behavior
                      Source: 3NeufRwoxF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\3NeufRwoxF.exe "C:\Users\user\Desktop\3NeufRwoxF.exe"
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess created: C:\Users\user\Desktop\3NeufRwoxF.exe "C:\Users\user\Desktop\3NeufRwoxF.exe"
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess created: C:\Users\user\Desktop\3NeufRwoxF.exe "C:\Users\user\Desktop\3NeufRwoxF.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_0078AFBA AdjustTokenPrivileges,2_2_0078AFBA
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_0078AF83 AdjustTokenPrivileges,2_2_0078AF83
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeFile created: C:\Users\user\AppData\Roaming\wordJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeFile created: C:\Users\user\AppData\Local\Temp\nsvCA55.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/5@1/1
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,0_2_00402012
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404275
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,2_2_00401489
                      Source: 2.2.3NeufRwoxF.exe.49d0000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.3NeufRwoxF.exe.49d0000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                      Source: Binary string: wntdll.pdbUGP source: 3NeufRwoxF.exe, 00000000.00000003.649117191.0000000003200000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000000.00000003.649806691.0000000003070000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: 3NeufRwoxF.exe, 00000000.00000003.649117191.0000000003200000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000000.00000003.649806691.0000000003070000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_72B21000 push eax; ret 0_2_72B2102E
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_00401F16 push ecx; ret 2_2_00401F29
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_1_00401F16 push ecx; ret 2_1_00401F29
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DA3
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeFile created: C:\Users\user\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dllJump to dropped file
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wordJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wordJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exe TID: 6800Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exe TID: 6800Thread sleep time: -4080000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exe TID: 6800Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,0_2_00405D7C
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004053AA
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_1_00404A29 FindFirstFileExW,2_1_00404A29
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeAPI call chain: ExitProcess graph end nodegraph_0-3649
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeAPI call chain: ExitProcess graph end nodegraph_0-3645
                      Source: 3NeufRwoxF.exe, 00000002.00000002.735683067.0000000005486000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0040446F
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DA3
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_004067FE GetProcessHeap,2_2_004067FE
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_0019EA84 mov eax, dword ptr fs:[00000030h]0_2_0019EA84
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_0019EA07 mov eax, dword ptr fs:[00000030h]0_2_0019EA07
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_0019E956 mov eax, dword ptr fs:[00000030h]0_2_0019E956
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_0019E742 mov eax, dword ptr fs:[00000030h]0_2_0019E742
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 0_2_0019EA46 mov eax, dword ptr fs:[00000030h]0_2_0019EA46
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]2_2_004035F1
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_1_004035F1 mov eax, dword ptr fs:[00000030h]2_1_004035F1
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_024337AF LdrInitializeThunk,2_2_024337AF
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_00401E1D SetUnhandledExceptionFilter,2_2_00401E1D
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0040446F
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00401C88
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00401F30
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_1_00401E1D SetUnhandledExceptionFilter,2_1_00401E1D
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_1_0040446F
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_1_00401C88
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeCode function: 2_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_1_00401F30

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeMemory written: C:\Users\user\Desktop\3NeufRwoxF.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\3NeufRwoxF.exeProcess created: C:\Users\user\Desktop\3NeufRwoxF.exe "C:\Users\user\Desktop\3NeufRwoxF.exe" Jump to behavior