Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
build.exe

Overview

General Information

Sample Name:build.exe
Analysis ID:588110
MD5:29fa3f046d74ecb98b88f2db96b69856
SHA1:cef05eec8df455e3ab98c81527622cc7426b4973
SHA256:66f48ee8e668dc77d5a87585f16c870e6232d1340e8cf093f536c5340891936b
Infos:

Detection

BlackCat
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected BlackCat Ransomware
Malicious sample detected (through community Yara rule)
Found Tor onion address
Deletes shadow drive data (may be related to ransomware)
Uses 32bit PE files
Yara signature match
PE file contains an invalid checksum
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)

Classification

  • System is w10x64
  • build.exe (PID: 6328 cmdline: "C:\Users\user\Desktop\build.exe" MD5: 29FA3F046D74ECB98B88F2DB96B69856)
  • cleanup
{"config_id": "", "public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtkOBBovKJud3BzJyaBY2tik4hSIRHS6tHvupmLHLbnNkVD6aIksfd/L+EvWdS8AQyQ/L0/NdyLpubkySYLd6zI0mFNMIvwaBdnePbog2OVIRB/BkMUo0G0xfnjpVj+CPOIm1ougYn/1OJL8xP+ryPptxtAZLBU9aEZMk2IeQNNYsWIz2AfXgmkQ+6l+Zc42aqru3ne9nAX6jR9JvavSYjJ6Srk6EX8tPb1JGu1hjXKDoGC6HpvxNhvUTjIu94y/2A9NU805lrINdmq0YSKEB4M5uEc+lm/Vq+8o+HqambGA3dQkGl7kSzgm8zO0sIegg/rKKxra1UtNdhcrRFNo3TwIDAQAB", "extension": "4v9zkhj", "note_file_name": "RECOVER-${EXTENSION}-FILES.txt", "note_full_text": ">> What happened?\n\nImportant files on your network was ENCRYPTED and now they have \"${EXTENSION}\" extension.\nIn order to recover your files you need to follow instructions below.\n\n>> Sensitive Data\n\nSensitive data on your network was DOWNLOADED.\nIf you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly.\n\nData includes:\n- Employees personal data, CVs, DL, SSN.\n- Complete network map including credentials for local and remote services.\n- Private financial information including: clients data, bills, budgets, annual reports, bank statements.\n- Manufacturing documents including: datagrams, schemas, drawings in solidworks format\n- And more...\n\n>> CAUTION\n\nDO NOT MODIFY ENCRYPTED FILES YOURSELF.\nDO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.\nYOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.\n\n>> What should I do next?\n\n1) Download and install Tor Browser from: https://torproject.org/\n2) Navigate to: http://xnffv7gqnvmhbo6abr5ctt6go2zzcbefuhjqbq6ijczpwjn2nmkhzsad.onion/?access-key=${ACCESS_KEY}", "note_short_text": "Important files on your network was DOWNLOADED and ENCRYPTED.\nSee \"${NOTE_FILE_NAME}\" file to get further instructions.", "default_file_mode": "Auto", "default_file_cipher": "Best", "credentials": [], "kill_services": ["mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss", "msexchange", "sql$", "mysql", "mysql$", "sophos", "MSExchange", "MSExchange$", "WSBExchange", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExecAgentBrowser", "BackupExecDiveciMediaService", "BackupExecJobuser", "BackupExecManagementService", "BackupExecRPCService", "GxBlr", "GxVss", "GxClMgrS", "GxCVD", "GxCIMgr", "GXMMM", "GxVssHWProv", "GxFWD", "SAPService", "SAP", "SAP$", "SAPD$", "SAPHostControl", "SAPHostExec", "QBCFMonitorService", "QBDBMgrN", "QBIDPService", "AcronisAgent", "VeeamNFSSvc", "VeeamDeploymentService", "VeeamTransportSvc", "MVArmor", "MVarmor64", "VSNAPVSS", "AcrSch2Svc"], "kill_processes": ["agntsvc", "dbeng50", "dbsnmp", "encsvc", "excel", "firefox", "infopath", "isqlplussvc", "msaccess", "mspub", "mydesktopqos", "mydesktopservice", "notepad", "ocautoupds", "ocomm", "ocssd", "onenote", "oracle", "outlook", "powerpnt", "sqbcoreservice", "sql", "steam", "synctime", "tbirdconfig", "thebat", "thunderbird", "visio", "winword", "wordpad", "xfssvccon", "*sql*", "bedbh", "vxmon", "benetns", "bengien", "pvlsvr", "beserver", "raw_agent_svc", "vsnapvss", "CagService", "QBIDPService", "QBDBMgrN", "QBCFMonitorService", "SAP", "TeamViewer_Service", "TeamViewer", "tv_w32", "tv_x64", "CVMountd", "cvd", "cvfwd", "CVODS", "saphostexec", "saposcol", "sapstartsrv", "avagent", "avscc", "DellSystemDetect", "EnterpriseClient", "VeeamNFSSvc", "VeeamTransportSvc", "VeeamDeploymentSvc"], "exclude_directory_names": ["system volume information", "intel", "$windows.~ws", "application data", "$recycle.bin", "mozilla", "$windows.~bt", "public", "msocache", "windows", "default", "all users", "tor browser", "programdata", "boot", "config.msi", "google", "perflogs", "appdata", "windows.old"], "exclude_file_names": ["desktop.ini", "autorun.inf", "ntldr", "bootsect.bak", "thumbs.db", "boot.ini", "ntuser.dat", "iconcache.db", "bootfont.bin", "ntuser.ini", "ntuser.dat.log"], "exclude_file_extensions": ["themepack", "nls", "diagpkg", "msi", "lnk", "exe", "cab", "scr", "bat", "drv", "rtp", "msp", "prf", "msc", "ico", "key", "ocx", "diagcab", "diagcfg", "pdb", "wpx", "hlp", "icns", "rom", "dll", "msstyles", "mod", "ps1", "ics", "hta", "bin", "cmd", "ani", "386", "lock", "cur", "idx", "sys", "com", "deskthemepack", "shs", "ldf", "theme", "mpa", "nomedia", "spl", "cpl", "adv", "icl", "msu"], "exclude_file_path_wildcard": [], "enable_network_discovery": true, "enable_self_propagation": true, "enable_set_wallpaper": true, "enable_esxi_vm_kill": true, "enable_esxi_vm_snapshot_kill": true, "strict_include_paths": [], "esxi_vm_kill_exclude": []}
SourceRuleDescriptionAuthorStrings
build.exeJoeSecurity_BlackCatYara detected BlackCat RansomwareJoe Security
    build.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
    • 0x2c62b4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    • 0x2da230:$s1: CoGetObject
    • 0x2c6278:$s2: Elevation:Administrator!new:
    build.exeINDICATOR_SUSPICOUS_EXE_References_VEEAMDetects executables containing many references to VEEAM. Observed in ransomwareunknown
    • 0x2060f7:$s1: VeeamNFSSvc
    • 0x206410:$s1: VeeamNFSSvc
    • 0x20611e:$s9: VeeamTransportSvc
    • 0x20641e:$s9: VeeamTransportSvc
    • 0x206105:$s10: VeeamDeploymentService
    SourceRuleDescriptionAuthorStrings
    00000001.00000002.370213883.000000000098A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlackCatYara detected BlackCat RansomwareJoe Security
      00000001.00000002.369792764.00000000005F1000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlackCatYara detected BlackCat RansomwareJoe Security
        00000001.00000000.368462823.00000000005F1000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_BlackCatYara detected BlackCat RansomwareJoe Security
          Process Memory Space: build.exe PID: 6328JoeSecurity_BlackCatYara detected BlackCat RansomwareJoe Security
            SourceRuleDescriptionAuthorStrings
            1.2.build.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
            • 0x2c62b4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
            • 0x2da230:$s1: CoGetObject
            • 0x2c6278:$s2: Elevation:Administrator!new:
            1.2.build.exe.400000.0.unpackINDICATOR_SUSPICOUS_EXE_References_VEEAMDetects executables containing many references to VEEAM. Observed in ransomwareunknown
            • 0x2060f7:$s1: VeeamNFSSvc
            • 0x206410:$s1: VeeamNFSSvc
            • 0x20611e:$s9: VeeamTransportSvc
            • 0x20641e:$s9: VeeamTransportSvc
            • 0x206105:$s10: VeeamDeploymentService
            1.0.build.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
            • 0x2c62b4:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
            • 0x2da230:$s1: CoGetObject
            • 0x2c6278:$s2: Elevation:Administrator!new:
            1.0.build.exe.400000.0.unpackINDICATOR_SUSPICOUS_EXE_References_VEEAMDetects executables containing many references to VEEAM. Observed in ransomwareunknown
            • 0x2060f7:$s1: VeeamNFSSvc
            • 0x206410:$s1: VeeamNFSSvc
            • 0x20611e:$s9: VeeamTransportSvc
            • 0x20641e:$s9: VeeamTransportSvc
            • 0x206105:$s10: VeeamDeploymentService
            No Sigma rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: build.exeAvira: detected
            Source: build.exeMalware Configuration Extractor: BlackCat {"config_id": "", "public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtkOBBovKJud3BzJyaBY2tik4hSIRHS6tHvupmLHLbnNkVD6aIksfd/L+EvWdS8AQyQ/L0/NdyLpubkySYLd6zI0mFNMIvwaBdnePbog2OVIRB/BkMUo0G0xfnjpVj+CPOIm1ougYn/1OJL8xP+ryPptxtAZLBU9aEZMk2IeQNNYsWIz2AfXgmkQ+6l+Zc42aqru3ne9nAX6jR9JvavSYjJ6Srk6EX8tPb1JGu1hjXKDoGC6HpvxNhvUTjIu94y/2A9NU805lrINdmq0YSKEB4M5uEc+lm/Vq+8o+HqambGA3dQkGl7kSzgm8zO0sIegg/rKKxra1UtNdhcrRFNo3TwIDAQAB", "extension": "4v9zkhj", "note_file_name": "RECOVER-${EXTENSION}-FILES.txt", "note_full_text": ">> What happened?\n\nImportant files on your network was ENCRYPTED and now they have \"${EXTENSION}\" extension.\nIn order to recover your files you need to follow instructions below.\n\n>> Sensitive Data\n\nSensitive data on your network was DOWNLOADED.\nIf you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly.\n\nData includes:\n- Employees personal data, CVs, DL, SSN.\n- Complete network map including credentials for local and remote services.\n- Private financial information including: clients data, bills, budgets, annual reports, bank statements.\n- Manufacturing documents including: datagrams, schemas, drawings in solidworks format\n- And more...\n\n>> CAUTION\n\nDO NOT MODIFY ENCRYPTED FILES YOURSELF.\nDO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.\nYOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.\n\n>> What should I do next?\n\n1) Download and install Tor Browser from: https://torproject.org/\n2) Navigate to: http://xnffv7gqnvmhbo6abr5ctt6go2zzcbefuhjqbq6ijczpwjn2nmkhzsad.onion/?access-key=${ACCESS_KEY}", "note_short_text": "Important files on your network was DOWNLOADED and ENCRYPTED.\nSee \"${NOTE_FILE_NAME}\" file to get further instructions.", "default_file_mode": "Auto", "default_file_cipher": "Best", "credentials": [], "kill_services": ["mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss", "msexchange", "sql$", "mysql", "mysql$", "sophos", "MSExchange", "MSExchange$", "WSBExchange", "PDVFSService", "BackupExecVSSProvider", "BackupExecAgentAccelerator", "BackupExecAgentBrowser", "BackupExecDiveciMediaService", "BackupExecJobuser", "BackupExecManagementService", "BackupExecRPCService", "GxBlr", "GxVss", "GxClMgrS", "GxCVD", "GxCIMgr", "GXMMM", "GxVssHWProv", "GxFWD", "SAPService", "SAP", "SAP$", "SAPD$", "SAPHostControl", "SAPHostExec", "QBCFMonitorService", "QBDBMgrN", "QBIDPService", "AcronisAgent", "VeeamNFSSvc", "VeeamDeploymentService", "VeeamTransportSvc", "MVArmor", "MVarmor64", "VSNAPVSS", "AcrSch2Svc"], "kill_processes": ["agntsvc", "dbeng50", "dbsnmp", "encsvc", "excel", "firefox", "infopath", "isqlplussvc", "msaccess", "mspub", "mydesktopqos", "mydesktopservice", "notepad", "ocautoupds", "ocomm", "ocssd", "onenote", "oracle", "outlook", "powerpnt", "sqbcoreservice", "sql", "steam", "synctime", "tbirdconfig", "thebat", "thunderbird", "visio", "winword", "wordpad", "xfssvccon", "*sql*", "bedbh", "vxmon", "benetns", "bengien", "pvlsvr", "beserver", "ra
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005DA7E0 TlsGetValue,TlsGetValue,TlsGetValue,GetProcessHeap,HeapAlloc,TlsSetValue,BCryptGenRandom,TlsGetValue,GetLastError,TlsSetValue,HeapFree,TlsSetValue,1_2_005DA7E0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00405AD0 BCryptGenRandom,GetProcessHeap,HeapAlloc,HeapFree,1_2_00405AD0
            Source: build.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: build.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT

            Networking

            barindex
            Source: build.exeString found in binary or memory: A.\nYOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.\n\n>> What should I do next?\n\n1) Download and install Tor Browser from: https://torproject.org/\n2) Navigate to: http://xnffv7gqnvmhbo6abr5ctt6go2zzcbefuhjqbq6ijczpwjn2nmkhzsad.onion/?acce
            Source: build.exeString found in binary or memory: http://xnffv7gqnvmhbo6abr5ctt6go2zzcbefuhjqbq6ijczpwjn2nmkhzsad.onion/?acce
            Source: build.exeString found in binary or memory: https://github.com/clap-rs/clap/issues
            Source: build.exeString found in binary or memory: https://github.com/rust-lang/rust/issues/39364
            Source: build.exeString found in binary or memory: https://torproject.org/

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Source: Yara matchFile source: build.exe, type: SAMPLE
            Source: Yara matchFile source: 00000001.00000002.370213883.000000000098A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.369792764.00000000005F1000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.368462823.00000000005F1000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: build.exe PID: 6328, type: MEMORYSTR
            Source: build.exeBinary or memory string: locker::core::os::windows::recycle_binsrc/core/os/windows/recycle_bin.rsvssadmin.exe Delete Shadows /all /quietshadow_copy::remove_all_vss=
            Source: build.exe, 00000001.00000000.368462823.00000000005F1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: locker::core::os::windows::recycle_binsrc/core/os/windows/recycle_bin.rsvssadmin.exe Delete Shadows /all /quietshadow_copy::remove_all_vss=
            Source: build.exe, 00000001.00000000.368462823.00000000005F1000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: locker::core::os::windows::recycle_binsrc/core/os/windows/recycle_bin.rsvssadmin.exe Delete Shadows /all /quietshadow_copy::remove_all_vss=[
            Source: build.exeBinary or memory string: locker::core::os::windows::recycle_binsrc/core/os/windows/recycle_bin.rsvssadmin.exe Delete Shadows /all /quietshadow_copy::remove_all_vss=
            Source: build.exeBinary or memory string: locker::core::os::windows::recycle_binsrc/core/os/windows/recycle_bin.rsvssadmin.exe Delete Shadows /all /quietshadow_copy::remove_all_vss=[

            System Summary

            barindex
            Source: build.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: build.exe, type: SAMPLEMatched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
            Source: 1.2.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 1.2.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
            Source: 1.0.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
            Source: 1.0.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
            Source: build.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: build.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: build.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
            Source: 1.2.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 1.2.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
            Source: 1.0.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
            Source: 1.0.build.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004248401_2_00424840
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004560501_2_00456050
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005930701_2_00593070
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004608101_2_00460810
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005E98301_2_005E9830
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0059C0C01_2_0059C0C0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004358F01_2_004358F0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004188801_2_00418880
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0040A8B01_2_0040A8B0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004299401_2_00429940
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004239601_2_00423960
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004341601_2_00434160
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004361201_2_00436120
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004481201_2_00448120
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0045B1301_2_0045B130
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004609F01_2_004609F0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005ED1981_2_005ED198
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004161901_2_00416190
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0042D1B41_2_0042D1B4
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004552401_2_00455240
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0040FA601_2_0040FA60
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004542101_2_00454210
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0040BA301_2_0040BA30
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00419AD01_2_00419AD0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005832C01_2_005832C0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0045A2E01_2_0045A2E0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005ED2981_2_005ED298
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005963401_2_00596340
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004F43501_2_004F4350
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0041BB601_2_0041BB60
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0045BB301_2_0045BB30
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004083D01_2_004083D0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00404B801_2_00404B80
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004563801_2_00456380
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004F7B991_2_004F7B99
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0040EBB01_2_0040EBB0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00418C201_2_00418C20
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005DDC301_2_005DDC30
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004184C01_2_004184C0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00417CC01_2_00417CC0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0043B4801_2_0043B480
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00463CA01_2_00463CA0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0045C4B01_2_0045C4B0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005E84A01_2_005E84A0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00456D641_2_00456D64
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00404D001_2_00404D00
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005DBD001_2_005DBD00
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0052DD301_2_0052DD30
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00462D301_2_00462D30
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004485801_2_00448580
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004415801_2_00441580
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005E95901_2_005E9590
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00412D991_2_00412D99
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00439E601_2_00439E60
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00570E701_2_00570E70
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005D9E601_2_005D9E60
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004126001_2_00412600
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004386101_2_00438610
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005C56301_2_005C5630
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005EC6D01_2_005EC6D0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0040D6801_2_0040D680
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004426B01_2_004426B0
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0040FF401_2_0040FF40
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00404F401_2_00404F40
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004147601_2_00414760
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005827601_2_00582760
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_0041FFC01_2_0041FFC0
            Source: C:\Users\user\Desktop\build.exeCode function: String function: 00456690 appears 87 times
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005C5500: GetFileInformationByHandle,memset,DeviceIoControl,GetLastError,GetLastError,1_2_005C5500
            Source: build.exeStatic PE information: Section: .text IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\build.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: build.exeString found in binary or memory: {before-help}{bin} {version} {author-section}{about-section} {usage-heading} {usage} {all-args}{after-help}/cargo/registry/src/github.com-1ecc6299db9ec823/clap-3.0.0-beta.5/src/output/help.rs{before-help}{bin} {version} {author-section}{about-section} {us
            Source: build.exeString found in binary or memory: author-section}about}about-with-newline}about-section}usage-heading}usage}all-args}options}positionals}subcommands}after-help}before-help}
            Source: build.exeString found in binary or memory: about-section}usage-heading}usage}all-args}options}positionals}subcommands}after-help}before-help}
            Source: build.exeString found in binary or memory: version}author}author-with-newline}author-section}about}about-with-newline}about-section}usage-heading}usage}all-args}options}positionals}subcommands}after-help}before-help}
            Source: build.exeString found in binary or memory: before-help}
            Source: build.exeString found in binary or memory: after-help}before-help}
            Source: build.exeString found in binary or memory: all-args}options}positionals}subcommands}after-help}before-help}
            Source: build.exeString found in binary or memory: usage-heading}usage}all-args}options}positionals}subcommands}after-help}before-help}
            Source: build.exeString found in binary or memory: subcommands}after-help}before-help}
            Source: build.exeString found in binary or memory: positionals}subcommands}after-help}before-help}
            Source: build.exeString found in binary or memory: cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"iisreset.exe /stop
            Source: build.exeString found in binary or memory: cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"iisreset.exe /stop
            Source: build.exeString found in binary or memory: /cargo/registry/src/github.com-1ecc6299db9ec823/num-bigint-dig-0.7.0/src/algorithms/add.rs
            Source: build.exeString found in binary or memory: --helpDumpStack.log.tmppagefile.sysswapfile.sys
            Source: build.exeString found in binary or memory: --helpDumpStack.log.tmppagefile.sysswapfile.sys
            Source: build.exeString found in binary or memory: {before-help}{bin} {version}{author-section}{about-section}{usage-heading} {usage}{all-args}{after-help}/cargo/registry/src/github.com-1ecc6299db9ec823/clap-3.0.0-beta.5/src/output/help.rs{before-help}{bin} {version}{author-section}{about-section}{us
            Source: build.exeString found in binary or memory: {before-help}{bin} {version}
            Source: build.exeString found in binary or memory: {all-args}{after-help}/cargo/registry/src/github.com-1ecc6299db9ec823/clap-3.0.0-beta.5/src/output/help.rs{before-help}{bin} {version}
            Source: build.exeString found in binary or memory: {usage}{after-help}
            Source: build.exeString found in binary or memory: T{before-help}{bin} {version}
            Source: build.exeString found in binary or memory: version}author}author-with-newline}author-section}about}about-with-newline}about-section}usage-heading}usage}all-args}options}positionals}subcommands}after-help}before-help}
            Source: build.exeString found in binary or memory: --helpDumpStack.log.tmppagefile.sysswapfile.sys
            Source: build.exeString found in binary or memory: --helpDumpStack.log.tmppagefile.sysswapfile.sys
            Source: build.exeString found in binary or memory: 3Z--helpDumpStack.log.tmppagefile.sysswapfile.sys
            Source: build.exeString found in binary or memory: 3Z--helpDumpStack.log.tmppagefile.sysswapfile.sys
            Source: build.exeString found in binary or memory: cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"iisreset.exe /stop
            Source: build.exeString found in binary or memory: cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"iisreset.exe /stop
            Source: build.exeString found in binary or memory: Ocmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"iisreset.exe /stop
            Source: build.exeString found in binary or memory: Ocmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"iisreset.exe /stop
            Source: build.exeString found in binary or memory: /cargo/registry/src/github.com-1ecc6299db9ec823/num-bigint-dig-0.7.0/src/algorithms/add.rs
            Source: build.exeString found in binary or memory: /cargo/registry/src/github.com-1ecc6299db9ec823/num-bigint-dig-0.7.0/src/algorithms/add.rsd2gZ
            Source: classification engineClassification label: mal80.rans.evad.winEXE@1/0@0/0
            Source: build.exeStatic file information: File size 2996224 > 1048576
            Source: build.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: build.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1ee200
            Source: build.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: build.exeStatic PE information: real checksum: 0x2e8325 should be: 0x2de88b
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005EEBB0 push dword ptr [eax+04h]; ret 1_2_005EEBDF
            Source: build.exeStatic PE information: section name: .eh_fram
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00401500 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00401500
            Source: C:\Users\user\Desktop\build.exeAPI coverage: 1.0 %
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_004F7B99 GetSystemInfo,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapFree,memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,1_2_004F7B99
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_00401500 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00401500
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005DD5A0 HeapReAlloc,RtlReAllocateHeap,HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,HeapFree,GetProcessHeap,HeapAlloc,1_2_005DD5A0
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\build.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\build.exeCode function: 1_2_005EDCE0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_005EDCE0
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts2
            Command and Scripting Interpreter
            Path InterceptionPath Interception1
            Disable or Modify Tools
            OS Credential Dumping1
            System Time Discovery
            Remote Services1
            Archive Collected Data
            Exfiltration Over Other Network Medium2
            Encrypted Channel
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Native API
            Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Deobfuscate/Decode Files or Information
            LSASS Memory1
            Security Software Discovery
            Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Proxy
            Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
            Obfuscated Files or Information
            Security Account Manager3
            System Information Discovery
            SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            File Deletion
            NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.