Loading ...

Play interactive tourEdit tour

Windows Analysis Report IMG-000284794.exe

Overview

General Information

Sample Name:IMG-000284794.exe
Analysis ID:553254
MD5:abd28466f7cb80d6da36fed9f3e6bef4
SHA1:fb2911028f32b2b3c07004a21e84773e3efd1519
SHA256:5686f840b9b2834952367cd9c37ec4c8385bcc90348dd3a92e488c0faebed85a
Tags:exexloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
AV process strings found (often used to terminate AV products)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • IMG-000284794.exe (PID: 964 cmdline: "C:\Users\user\Desktop\IMG-000284794.exe" MD5: ABD28466F7CB80D6DA36FED9F3E6BEF4)
    • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • aspnet_regbrowsers.exe (PID: 6112 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe MD5: B490A24A9328FD89155F075FA26C0DEC)
      • WerFault.exe (PID: 5516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.129qihu.com/c6si/"], "decoy": ["tristateinc.construction", "americanscaregroundstexas.com", "kanimisoshiru.com", "wihling.com", "fishcheekstosa.com", "parentsfuid.com", "greenstandmarket.com", "fc8fla8kzq.com", "gametwist-83.club", "jobsncvs.com", "directrealtysells.com", "avida2015.com", "conceptasite.net", "arkaneattire.com", "indev-mobility.info", "2160centurypark412.com", "valefloor.com", "septembership.com", "stackflix.com", "jimc0sales.net", "socialviralup.com", "lastra41.com", "juliaepaulovaocasar.com", "jurisagora.com", "drawandgrow.online", "rebekahlouise.com", "herport-fr.com", "iphone13.webcam", "appz-one.net", "inpost-pl.net", "promocion360fitness.com", "global-forbes.biz", "diamondtrade.net", "albertcantos.com", "gtgits.com", "travel-ai.online", "busipe6.com", "mualikesubvn.com", "niftyhandy.com", "docprops.com", "lido88.bet", "baywoodphotography.com", "cargosouq.info", "newsnowlive.online", "floridafishingoverboard.com", "missnikissalsa.net", "walletvalidate.space", "kissimmeeinternationalcup.com", "charterhome.school", "gurujupiter.com", "entertainmentwitchy.com", "jokeaou.com", "sugarmountainfirearms.com", "iss-sa.com", "smittyssierra.com", "freedomoff.com", "giftoin.com", "realitystararmwrestling.com", "salsalunch-equallyage.com", "ladouba.com", "thepropertygoat.com", "bestofmerrick.guide", "4the.top", "regioinversiones.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x7992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x136a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x137a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1391f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x83aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1240c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19c3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      16.0.aspnet_regbrowsers.exe.600000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        16.0.aspnet_regbrowsers.exe.600000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        16.0.aspnet_regbrowsers.exe.600000.2.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        16.0.aspnet_regbrowsers.exe.600000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          16.0.aspnet_regbrowsers.exe.600000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.129qihu.com/c6si/"], "decoy": ["tristateinc.construction", "americanscaregroundstexas.com", "kanimisoshiru.com", "wihling.com", "fishcheekstosa.com", "parentsfuid.com", "greenstandmarket.com", "fc8fla8kzq.com", "gametwist-83.club", "jobsncvs.com", "directrealtysells.com", "avida2015.com", "conceptasite.net", "arkaneattire.com", "indev-mobility.info", "2160centurypark412.com", "valefloor.com", "septembership.com", "stackflix.com", "jimc0sales.net", "socialviralup.com", "lastra41.com", "juliaepaulovaocasar.com", "jurisagora.com", "drawandgrow.online", "rebekahlouise.com", "herport-fr.com", "iphone13.webcam", "appz-one.net", "inpost-pl.net", "promocion360fitness.com", "global-forbes.biz", "diamondtrade.net", "albertcantos.com", "gtgits.com", "travel-ai.online", "busipe6.com", "mualikesubvn.com", "niftyhandy.com", "docprops.com", "lido88.bet", "baywoodphotography.com", "cargosouq.info", "newsnowlive.online", "floridafishingoverboard.com", "missnikissalsa.net", "walletvalidate.space", "kissimmeeinternationalcup.com", "charterhome.school", "gurujupiter.com", "entertainmentwitchy.com", "jokeaou.com", "sugarmountainfirearms.com", "iss-sa.com", "smittyssierra.com", "freedomoff.com", "giftoin.com", "realitystararmwrestling.com", "salsalunch-equallyage.com", "ladouba.com", "thepropertygoat.com", "bestofmerrick.guide", "4the.top", "regioinversiones.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: IMG-000284794.exeVirustotal: Detection: 34%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: IMG-000284794.exeJoe Sandbox ML: detected
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: IMG-000284794.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1530308638\un_priv\bonkersV2\obj\Release\bonkersV2.pdb source: IMG-000284794.exe
          Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.129qihu.com/c6si/
          Source: Amcache.hve.19.drString found in binary or memory: http://upx.sf.net

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large array initializationsShow sources
          Source: IMG-000284794.exe, bonkers/Program.csLarge array initialization: .cctor: array initializer size 77824
          Source: IMG-000284794.exe, bonkers/Program.csLarge array initialization: .cctor: array initializer size 223232
          Source: 0.0.IMG-000284794.exe.760000.0.unpack, bonkers/Program.csLarge array initialization: .cctor: array initializer size 77824
          Source: 0.0.IMG-000284794.exe.760000.0.unpack, bonkers/Program.csLarge array initialization: .cctor: array initializer size 223232
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: IMG-000284794.exe, 00000000.00000000.235385293.0000000000762000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebonkersV2.exe4 vs IMG-000284794.exe
          Source: IMG-000284794.exeBinary or memory string: OriginalFilenamebonkersV2.exe4 vs IMG-000284794.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 176
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess Stats: CPU usage > 98%
          Source: IMG-000284794.exeVirustotal: Detection: 34%
          Source: IMG-000284794.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\IMG-000284794.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\IMG-000284794.exe "C:\Users\user\Desktop\IMG-000284794.exe"
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 176
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6112
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
          Source: C:\Users\user\Desktop\IMG-000284794.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG-000284794.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER52C0.tmpJump to behavior
          Source: classification engineClassification label: mal96.troj.evad.winEXE@5/7@0/0
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: IMG-000284794.exeStatic file information: File size 1211392 > 1048576
          Source: IMG-000284794.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: IMG-000284794.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: IMG-000284794.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x127200
          Source: IMG-000284794.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: IMG-000284794.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1530308638\un_priv\bonkersV2\obj\Release\bonkersV2.pdb source: IMG-000284794.exe
          Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: IMG-000284794.exe, bonkers/Program.cs.Net Code: hselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.IMG-000284794.exe.760000.0.unpack, bonkers/Program.cs.Net Code: hselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: IMG-000284794.exeStatic PE information: 0xE045D3C7 [Sat Mar 26 10:49:43 2089 UTC]
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exe TID: 4344Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\IMG-000284794.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Amcache.hve.19.drBinary or memory string: VMware
          Source: Amcache.hve.19.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
          Source: Amcache.hve.19.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
          Source: Amcache.hve.19.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.19.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.19.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
          Source: Amcache.hve.19.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.19.drBinary or memory string: VMware7,1
          Source: Amcache.hve.19.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.19.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.19.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.19.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.19.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.19.drBinary or memory string: VMware, Inc.me
          Source: Amcache.hve.19.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
          Source: Amcache.hve.19.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
          Source: Amcache.hve.19.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Writes to foreign memory regionsShow sources
          Source: C:\Users\user\Desktop\IMG-000284794.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 600000Jump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 601000Jump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 410008Jump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\IMG-000284794.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 600000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exeJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeQueries volume information: C:\Users\user\Desktop\IMG-000284794.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\IMG-000284794.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: Amcache.hve.19.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.19.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection211Masquerading1OS Credential DumpingSecurity Software Discovery21Remote ServicesData from Local SystemExfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion31Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerSystem Information Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection211LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 553254 Sample: IMG-000284794.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 96 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 5 other signatures 2->25 7 IMG-000284794.exe 2 2->7         started        process3 file4 17 C:\Users\user\...\IMG-000284794.exe.log, ASCII 7->17 dropped 27 Writes to foreign memory regions 7->27 29 Injects a PE file into a foreign processes 7->29 11 aspnet_regbrowsers.exe 7->11         started        13 conhost.exe 7->13         started        signatures5 process6 process7 15 WerFault.exe 23 9 11->15         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.