Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
S7kJLbgFtg.exe

Overview

General Information

Sample Name:S7kJLbgFtg.exe
Analysis ID:594117
MD5:55b95e36469a3600abb995e58f61d4c9
SHA1:de6717493246599d8702e7d1fd6914aab5bd015d
SHA256:7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a
Tags:exe
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Copying Sensitive Files with Credential Data
May disable shadow drive data (uses vssadmin)
Infects executable files (exe, dll, sys, html)
Drops executable to a common third party application directory
Deletes shadow drive data (may be related to ransomware)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • S7kJLbgFtg.exe (PID: 6472 cmdline: "C:\Users\user\Desktop\S7kJLbgFtg.exe" MD5: 55B95E36469A3600ABB995E58F61D4C9)
    • vssadmin.exe (PID: 7140 cmdline: vssadmin delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
      • conhost.exe (PID: 4744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Source: Process startedAuthor: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: vssadmin delete shadows /all /quiet, CommandLine: vssadmin delete shadows /all /quiet, CommandLine|base64offset|contains: vh, Image: C:\Windows\System32\vssadmin.exe, NewProcessName: C:\Windows\System32\vssadmin.exe, OriginalFileName: C:\Windows\System32\vssadmin.exe, ParentCommandLine: "C:\Users\user\Desktop\S7kJLbgFtg.exe" , ParentImage: C:\Users\user\Desktop\S7kJLbgFtg.exe, ParentProcessId: 6472, ProcessCommandLine: vssadmin delete shadows /all /quiet, ProcessId: 7140
Sigma detected: Copying Sensitive Files with Credential Data
Source: Process startedAuthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: vssadmin delete shadows /all /quiet, CommandLine: vssadmin delete shadows /all /quiet, CommandLine|base64offset|contains: vh, Image: C:\Windows\System32\vssadmin.exe, NewProcessName: C:\Windows\System32\vssadmin.exe, OriginalFileName: C:\Windows\System32\vssadmin.exe, ParentCommandLine: "C:\Users\user\Desktop\S7kJLbgFtg.exe" , ParentImage: C:\Users\user\Desktop\S7kJLbgFtg.exe, ParentProcessId: 6472, ProcessCommandLine: vssadmin delete shadows /all /quiet, ProcessId: 7140

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: S7kJLbgFtg.exeVirustotal: Detection: 52%Perma Link
Source: S7kJLbgFtg.exeReversingLabs: Detection: 69%
Source: S7kJLbgFtg.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: Reflow.pdbRR source: Data1.cab.0.dr
Source: Binary string: PDDom.pdbiiH source: Data1.cab.0.dr
Source: Binary string: SaveAsRTF.pdbUU source: Data1.cab.0.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb A source: Data1.cab.0.dr
Source: Binary string: Accessibility.pdbpp source: Data1.cab.0.dr
Source: Binary string: Accessibility.pdb source: Data1.cab.0.dr
Source: Binary string: D:\garuda_1890\esg\lilo\plugins\AdobeHunspellPlugin\6.1\binaries\VC.Net2010\Win32\Release\AdobeHunspellPlugin.pdb source: Data1.cab.0.dr
Source: Binary string: SaveAsRTF.pdb source: Data1.cab.0.dr
Source: Binary string: Reflow.pdb source: Data1.cab.0.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARM.pdb source: Data1.cab.0.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: Data1.cab.0.dr
Source: Binary string: PDDom.pdb source: Data1.cab.0.dr
Source: Binary string: D:\CB\ARM_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe0.0.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb source: Data1.cab.0.dr
Source: Binary string: MakeAccessible.pdb source: Data1.cab.0.dr

Spreading

barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeSystem file written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeSystem file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeSystem file written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeSystem file written: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\msasxpress.dllJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Default\Jump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\Jump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Jump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Clean Store\Jump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\NisBackup\Jump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Jump to behavior
Source: AdobeARM.msi0.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.c
Source: AdobeARM.msi0.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AdobeARMHelper.exe0.0.dr, AdobeARM.msi0.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: AdobeARMHelper.exe0.0.dr, AdobeARM.msi0.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AdobeARM.msi0.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AdobeARM.msi0.0.drString found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: AdobeARM.msi0.0.drString found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: Data1.cab.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AdobeARM.msi0.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AdobeARMHelper.exe0.0.dr, AdobeARM.msi0.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AdobeARMHelper.exe0.0.dr, AdobeARM.msi0.0.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: AdobeARM.msi0.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AdobeARM.msi0.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AdobeARMHelper.exe0.0.dr, AdobeARM.msi0.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AdobeARMHelper.exe0.0.dr, AdobeARM.msi0.0.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: AdobeARM.msi0.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Data1.cab.0.drString found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
Source: Data1.cab.0.drString found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
Source: Data1.cab.0.drString found in binary or memory: http://evcs-ocsp.ws.symantec.com04
Source: AdobeARM.msi0.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: AdobeARMHelper.exe0.0.dr, AdobeARM.msi0.0.drString found in binary or memory: http://ocsp.digicert.com0H
Source: AdobeARMHelper.exe0.0.dr, AdobeARM.msi0.0.drString found in binary or memory: http://ocsp.digicert.com0I
Source: AdobeARM.msi0.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: AdobeARM.msi0.0.dr, Data1.cab.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: AdobeARMHelper.exe0.0.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: AdobeARMHelper.exe0.0.drString found in binary or memory: http://s.symcd.com06
Source: AdobeARMHelper.exe0.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Data1.cab.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AdobeARMHelper.exe0.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Data1.cab.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Data1.cab.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AdobeARMHelper.exe0.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Data1.cab.0.drString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: AdobeARMHelper.exe0.0.dr, AdobeARM.msi0.0.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AdobeARM.msi0.0.drString found in binary or memory: http://www.macrovision.com0
Source: Data1.cab.0.drString found in binary or memory: http://www.symauth.com/cps0(
Source: Data1.cab.0.drString found in binary or memory: http://www.symauth.com/cps09
Source: Data1.cab.0.drString found in binary or memory: http://www.symauth.com/rpa04
Source: AdobeARMHelper.exe0.0.drString found in binary or memory: https://d.symcb.com/cps0%
Source: AdobeARMHelper.exe0.0.drString found in binary or memory: https://d.symcb.com/rpa0
Source: AdobeARMHelper.exe0.0.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: S7kJLbgFtg.exeString found in binary or memory: https://dist.torproject.org/torbrowser/8.5.3/tor-win32-0.3.5.8.zipzipTor
Source: AdobeARMHelper.exe0.0.dr, AdobeARM.msi0.0.drString found in binary or memory: https://www.digicert.com/CPS0

Spam, unwanted Advertisements and Ransom Demands

barindex
May disable shadow drive data (uses vssadmin)
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Deletes shadow drive data (may be related to ransomware)
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: vssadmin.exe, 00000001.00000002.359172423.000001FA20780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quietC:\Windows\SYSTEM32\vssadmin.exeWinsta0\Default
Source: vssadmin.exe, 00000001.00000002.359172423.000001FA20780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
Source: vssadmin.exe, 00000001.00000002.359151558.000001FA206E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmindeleteshadows/all/quiet
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeProcess Stats: CPU usage > 98%
Source: S7kJLbgFtg.exeVirustotal: Detection: 52%
Source: S7kJLbgFtg.exeReversingLabs: Detection: 69%
Source: S7kJLbgFtg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\S7kJLbgFtg.exe "C:\Users\user\Desktop\S7kJLbgFtg.exe"
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\vssadmin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4744:120:WilError_01
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile created: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\!-Recovery_Instructions-!.txtJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile created: C:\Users\user\Desktop\!-Recovery_Instructions-!.txtJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\IdentityCRL\production\temp\!-Recovery_Instructions-!.txtJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile written: C:\ProgramData\Adobe\ARM\ArmReport.iniJump to behavior
Source: classification engineClassification label: mal76.rans.spre.winEXE@4/1151@0/0
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile read: C:\ProgramData\Adobe\ARM\ArmReport.iniJump to behavior
Source: S7kJLbgFtg.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: S7kJLbgFtg.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: S7kJLbgFtg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Reflow.pdbRR source: Data1.cab.0.dr
Source: Binary string: PDDom.pdbiiH source: Data1.cab.0.dr
Source: Binary string: SaveAsRTF.pdbUU source: Data1.cab.0.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb A source: Data1.cab.0.dr
Source: Binary string: Accessibility.pdbpp source: Data1.cab.0.dr
Source: Binary string: Accessibility.pdb source: Data1.cab.0.dr
Source: Binary string: D:\garuda_1890\esg\lilo\plugins\AdobeHunspellPlugin\6.1\binaries\VC.Net2010\Win32\Release\AdobeHunspellPlugin.pdb source: Data1.cab.0.dr
Source: Binary string: SaveAsRTF.pdb source: Data1.cab.0.dr
Source: Binary string: Reflow.pdb source: Data1.cab.0.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARM.pdb source: Data1.cab.0.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: Data1.cab.0.dr
Source: Binary string: PDDom.pdb source: Data1.cab.0.dr
Source: Binary string: D:\CB\ARM_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe0.0.dr
Source: Binary string: C:\O\W\B\130707\ARM\BuildResults\bin\Win32\Release\armsvc.pdb source: Data1.cab.0.dr
Source: Binary string: MakeAccessible.pdb source: Data1.cab.0.dr
Source: S7kJLbgFtg.exeStatic PE information: section name: _RDATA

Persistence and Installation Behavior

barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeSystem file written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeSystem file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeSystem file written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeSystem file written: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\msasxpress.dllJump to behavior
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Default\Jump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\Jump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\Jump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Clean Store\Jump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Definition Updates\NisBackup\Jump to behavior
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Jump to behavior
Source: S7kJLbgFtg.exeBinary or memory string: .Mdfsqlserv.exeoracle.exentdbsmgr.exesqlservr.exesqlwriter.exeMsDtsSrvr.exemsmdsrv.exeReportingServecesService.exefdhost.exefdlauncher.execher.exevmickvpexchangevmicguestinterfacevmicshutdownvmicheartbeatvmicrdvstorfltvmictimesyncvmicvssMSSQLFDLauncherMSSQLSERVERSQLSERVERAGENTSQLBrowserSQLTELEMETRYMsDtsServer130SSISTELEMETRY130SQLWriterMSSQLSQLAgentMSSQLServerADHelper100MSSQLServerOLAPServiceMsDtsServer100ReportServerTMBMServerpostgresql-x64-9.4UniFivmmssql-x64-9.4
Source: Data1.cab.0.drBinary or memory string: gHExitMaximize&Click to activateShell_TrayWndTrayNotifyWndp
Source: C:\Users\user\Desktop\S7kJLbgFtg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception2
Process Injection		12
Masquerading		OS Credential Dumping1
Security Software Discovery		1
Taint Shared Content		Data from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
Process Injection		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
File Deletion		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
S7kJLbgFtg.exe52%VirustotalBrowse
S7kJLbgFtg.exe69%ReversingLabsWin64.Ransomware.LockCrypt

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.macrovision.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.macrovision.com0AdobeARM.msi0.0.drfalse
  • URL Reputation: safe
unknown
https://dist.torproject.org/torbrowser/8.5.3/tor-win32-0.3.5.8.zipzipTorS7kJLbgFtg.exefalse
    		high
    http://www.symauth.com/rpa04Data1.cab.0.drfalse
      		high
      http://crl.thawte.com/ThawtePr