Windows Analysis Report SHIPMENTDOCUMENTSPDF.exe

Antivirus or Machine Learning detection for unpacked file

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen3
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	Avira: Label: TR/Redcap.ghjpt

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,	2_2_0312A632
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CAFC CryptUnprotectData,LocalAlloc,LocalFree,	2_2_0312CAFC
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CF58 LocalAlloc,BCryptDecrypt,LocalFree,	2_2_0312CF58
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,	2_2_0312CC54
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	2_2_0312CCB4
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,	2_2_0312B15E

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764, type: MEMORYSTR

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Directory created: C:\Program Files\Microsoft DN1

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\licensing.pdb source: SHIPMENTDOCUMENTSPDF.exe

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312FF27 FindFirstFileW,FindNextFileW,		2_2_0312FF27
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03129DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		2_2_03129DF6

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0313002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

C2 URLs / IPs found in malware configuration

Networking

Source: Malware configuration extractor

URLs: goodies.dynamic-dns.net

Contains functionality to download and execute PE files

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031227D3 URLDownloadToFileW,ShellExecuteW,

Source: SHIPMENTDOCUMENTSPDF.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031227D3 URLDownloadToFileW,ShellExecuteW,

Installs a raw input device (often for capturing keystrokes)

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312902E DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,

2_2_0312902E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031289D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,

2_2_031289D5

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: SHIPMENTDOCUMENTSPDF.exe

Detected potential crypto function

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_007D0E50	2_2_007D0E50
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0077EE20	2_2_0077EE20
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0077F730	2_2_0077F730
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03131BF8	2_2_03131BF8
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02731537	2_2_02731537

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 00754DD1 appears 270 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 00751E1F appears 606 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 031235E5 appears 40 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 007525E5 appears 49 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 00751DBB appears 36 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 03130969 appears 47 times

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Section loaded: edgegdi.dll

Source: SHIPMENTDOCUMENTSPDF.exe	Virustotal: Detection: 57%
Source: SHIPMENTDOCUMENTSPDF.exe	Metadefender: Detection: 23%
Source: SHIPMENTDOCUMENTSPDF.exe	ReversingLabs: Detection: 61%

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

File read: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

2_2_0312F619

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0077C250 CoCreateInstance,

2_2_0077C250

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031320B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0077EBA0 LoadResource,LockResource,SizeofResource,

2_2_0077EBA0

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

File created: C:\Program Files\Microsoft DN1

Source: SHIPMENTDOCUMENTSPDF.exe

Static file information: File size 2554880 > 1048576

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Directory created: C:\Program Files\Microsoft DN1

Uses code obfuscation techniques (call, push, ret)

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x165000

Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\licensing.pdb source: SHIPMENTDOCUMENTSPDF.exe

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03121190 push eax; ret	2_2_031211A4
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03121190 push eax; ret	2_2_031211CC
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02720ACF push eax; ret	2_2_02720AE3
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02720ACF push eax; ret	2_2_02720B0B
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02733DF0 push ebp; retf	2_2_02733EA3

PE file contains sections with non-standard names

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: section name: .00cfg

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F51D LoadLibraryA,GetProcAddress,

Contains functionality to create new users

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312D418 NetUserAdd,NetLocalGroupAddMembers,

2_2_0312D418

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031227D3 URLDownloadToFileW,ShellExecuteW,

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,		2_2_0312A6C8
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,		2_2_0312AC0A

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Contains functionality to hide user accounts

Hooking and other Techniques for Hiding and Protection

Source: SHIPMENTDOCUMENTSPDF.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe TID: 4900

Thread sleep count: 60 > 30

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,

2_2_0312DA5B

Found evaded block containing many API calls

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Evaded block: after key decision

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

API coverage: 6.6 %

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_007D520F VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312FF27 FindFirstFileW,FindNextFileW,		2_2_0312FF27
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03129DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		2_2_03129DF6

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0313002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000003.160895547606.0000000000663000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_00784490 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00784490

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_007D520F VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F51D LoadLibraryA,GetProcAddress,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_00776870 GetProcessHeap,

2_2_00776870

Contains functionality to read the PEB

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_007DA290 mov eax, dword ptr fs:[00000030h]	2_2_007DA290
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03130619 mov eax, dword ptr fs:[00000030h]	2_2_03130619
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03130620 mov eax, dword ptr fs:[00000030h]	2_2_03130620
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0313094E mov eax, dword ptr fs:[00000030h]	2_2_0313094E
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0273028D mov eax, dword ptr fs:[00000030h]	2_2_0273028D
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02720467 mov eax, dword ptr fs:[00000030h]	2_2_02720467
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_027384B1 mov eax, dword ptr fs:[00000030h]	2_2_027384B1
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0272FF58 mov eax, dword ptr fs:[00000030h]	2_2_0272FF58
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0272FF5F mov eax, dword ptr fs:[00000030h]	2_2_0272FF5F

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_00784490 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00784490
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_00784740 SetUnhandledExceptionFilter,	2_2_00784740
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_00782EB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00782EB0
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0079B370 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0079B370

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_031279E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,		2_2_031279E8
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03131FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		2_2_03131FD8

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031318BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

2_2_031318BA

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

2_2_0312F56D

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F93F cpuid

2_2_0312F93F

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_00784870 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_00784870

Stealing of Sensitive Information

Contains functionality to steal e-mail passwords

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: POP3 Password	2_2_0312A29A
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: SMTP Password	2_2_0312A29A
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: IMAP Password	2_2_0312A29A

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: \Google\Chrome\User Data\Default\Login Data		2_2_0312C1B2
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: \Chromium\User Data\Default\Login Data		2_2_0312C1B2

Yara detected Credential Stealer

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764, type: MEMORYSTR

Remote Access Functionality

Found malware configuration

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
goodies.dynamic-dns.net	true	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown

AV Detection

Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack

Malware Configuration Extractor: AveMaria {"C2 url": "goodies.dynamic-dns.net", "port": 5200}

Multi AV Scanner detection for submitted file

Source: SHIPMENTDOCUMENTSPDF.exe	Virustotal: Detection: 57%	Perma Link
Source: SHIPMENTDOCUMENTSPDF.exe	Metadefender: Detection: 23%	Perma Link
Source: SHIPMENTDOCUMENTSPDF.exe	ReversingLabs: Detection: 61%

Antivirus / Scanner detection for submitted sample

Source: SHIPMENTDOCUMENTSPDF.exe

Avira: detected

Antivirus detection for URL or domain

Source: goodies.dynamic-dns.net

Avira URL Cloud: Label: phishing

Antivirus or Machine Learning detection for unpacked file

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack	Avira: Label: TR/Patched.Ren.Gen3
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack	Avira: Label: TR/Redcap.ghjpt

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,	2_2_0312A632
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CAFC CryptUnprotectData,LocalAlloc,LocalFree,	2_2_0312CAFC
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CF58 LocalAlloc,BCryptDecrypt,LocalFree,	2_2_0312CF58
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,	2_2_0312CC54
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,	2_2_0312CCB4
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,	2_2_0312B15E

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764, type: MEMORYSTR

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Directory created: C:\Program Files\Microsoft DN1

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\licensing.pdb source: SHIPMENTDOCUMENTSPDF.exe

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312FF27 FindFirstFileW,FindNextFileW,		2_2_0312FF27
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03129DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		2_2_03129DF6

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0313002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

C2 URLs / IPs found in malware configuration

Networking

Source: Malware configuration extractor

URLs: goodies.dynamic-dns.net

Contains functionality to download and execute PE files

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031227D3 URLDownloadToFileW,ShellExecuteW,

Source: SHIPMENTDOCUMENTSPDF.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031227D3 URLDownloadToFileW,ShellExecuteW,

Installs a raw input device (often for capturing keystrokes)

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

2_2_0312902E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

2_2_031289D5

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: SHIPMENTDOCUMENTSPDF.exe

Detected potential crypto function

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_007D0E50	2_2_007D0E50
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0077EE20	2_2_0077EE20
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0077F730	2_2_0077F730
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03131BF8	2_2_03131BF8
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02731537	2_2_02731537

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 00754DD1 appears 270 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 00751E1F appears 606 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 031235E5 appears 40 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 007525E5 appears 49 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 00751DBB appears 36 times
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: String function: 03130969 appears 47 times

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Section loaded: edgegdi.dll

Source: SHIPMENTDOCUMENTSPDF.exe	Virustotal: Detection: 57%
Source: SHIPMENTDOCUMENTSPDF.exe	Metadefender: Detection: 23%
Source: SHIPMENTDOCUMENTSPDF.exe	ReversingLabs: Detection: 61%

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

File read: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

2_2_0312F619

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0077C250 CoCreateInstance,

2_2_0077C250

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031320B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0077EBA0 LoadResource,LockResource,SizeofResource,

2_2_0077EBA0

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

File created: C:\Program Files\Microsoft DN1

Source: SHIPMENTDOCUMENTSPDF.exe

Static file information: File size 2554880 > 1048576

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Directory created: C:\Program Files\Microsoft DN1

Uses code obfuscation techniques (call, push, ret)

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x165000

Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SHIPMENTDOCUMENTSPDF.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\OLEDB\Consumer\DynamicConsumer\licensing.pdb source: SHIPMENTDOCUMENTSPDF.exe

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03121190 push eax; ret	2_2_031211A4
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03121190 push eax; ret	2_2_031211CC
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02720ACF push eax; ret	2_2_02720AE3
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02720ACF push eax; ret	2_2_02720B0B
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02733DF0 push ebp; retf	2_2_02733EA3

PE file contains sections with non-standard names

Source: SHIPMENTDOCUMENTSPDF.exe

Static PE information: section name: .00cfg

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F51D LoadLibraryA,GetProcAddress,

Contains functionality to create new users

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312D418 NetUserAdd,NetLocalGroupAddMembers,

2_2_0312D418

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031227D3 URLDownloadToFileW,ShellExecuteW,

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,		2_2_0312A6C8
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,		2_2_0312AC0A

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Contains functionality to hide user accounts

Hooking and other Techniques for Hiding and Protection

Source: SHIPMENTDOCUMENTSPDF.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe TID: 4900

Thread sleep count: 60 > 30

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,

2_2_0312DA5B

Found evaded block containing many API calls

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Evaded block: after key decision

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

API coverage: 6.6 %

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_007D520F VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0312FF27 FindFirstFileW,FindNextFileW,		2_2_0312FF27
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03129DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,		2_2_03129DF6

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0313002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000003.160895547606.0000000000663000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_00784490 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00784490

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_007D520F VirtualProtect ?,-00000001,00000104,?,?,?,0000001C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F51D LoadLibraryA,GetProcAddress,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_00776870 GetProcessHeap,

2_2_00776870

Contains functionality to read the PEB

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_007DA290 mov eax, dword ptr fs:[00000030h]	2_2_007DA290
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03130619 mov eax, dword ptr fs:[00000030h]	2_2_03130619
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03130620 mov eax, dword ptr fs:[00000030h]	2_2_03130620
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0313094E mov eax, dword ptr fs:[00000030h]	2_2_0313094E
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0273028D mov eax, dword ptr fs:[00000030h]	2_2_0273028D
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_02720467 mov eax, dword ptr fs:[00000030h]	2_2_02720467
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_027384B1 mov eax, dword ptr fs:[00000030h]	2_2_027384B1
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0272FF58 mov eax, dword ptr fs:[00000030h]	2_2_0272FF58
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0272FF5F mov eax, dword ptr fs:[00000030h]	2_2_0272FF5F

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_00784490 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00784490
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_00784740 SetUnhandledExceptionFilter,	2_2_00784740
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_00782EB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00782EB0
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_0079B370 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0079B370

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_031279E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,		2_2_031279E8
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: 2_2_03131FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		2_2_03131FD8

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_031318BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

2_2_031318BA

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

2_2_0312F56D

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_0312F93F cpuid

2_2_0312F93F

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe

Code function: 2_2_00784870 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_00784870

Stealing of Sensitive Information

Contains functionality to steal e-mail passwords

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: POP3 Password	2_2_0312A29A
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: SMTP Password	2_2_0312A29A
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: IMAP Password	2_2_0312A29A

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: \Google\Chrome\User Data\Default\Login Data		2_2_0312C1B2
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe	Code function: \Chromium\User Data\Default\Login Data		2_2_0312C1B2

Yara detected Credential Stealer

Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764, type: MEMORYSTR

Remote Access Functionality