Windows Analysis Report
triage_dropped_file

Overview

General Information

Sample Name: triage_dropped_file (renamed file extension from none to exe)
Analysis ID: 626069
MD5: b4d7d6d6011c12dcf1b42707119c74d3
SHA1: 069786f6de361532ae83b522880c7cad7c605a27
SHA256: 8e62347e7263d99c7d06bdd30fcea60c79acfff55b199e89df0d99d408ec24ec
Tags: exexloader
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection

barindex
Source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}
Source: triage_dropped_file.exe Virustotal: Detection: 46% Perma Link
Source: triage_dropped_file.exe ReversingLabs: Detection: 53%
Source: Yara match File source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: www.cortesdisenosroutercnc.com/itq4/ Avira URL Cloud: Label: malware
Source: www.cortesdisenosroutercnc.com/itq4/ Virustotal: Detection: 9% Perma Link
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Virustotal: Detection: 42% Perma Link
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe ReversingLabs: Detection: 34%
Source: triage_dropped_file.exe Joe Sandbox ML: detected
Source: 1.2.qcoewlbpwb.exe.1410000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: triage_dropped_file.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: triage_dropped_file.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B

Networking

barindex
Source: Malware configuration extractor URLs: www.cortesdisenosroutercnc.com/itq4/
Source: triage_dropped_file.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040580F

E-Banking Fraud

barindex
Source: Yara match File source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: triage_dropped_file.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013D1F55 1_2_013D1F55
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013E5917 1_2_013E5917
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013DDDB8 1_2_013DDDB8
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013D99B3 1_2_013D99B3
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013E2DF6 1_2_013E2DF6
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013E45EF 1_2_013E45EF
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013E61D9 1_2_013E61D9
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013DE1D0 1_2_013DE1D0
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013E7844 1_2_013E7844
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013E38D3 1_2_013E38D3
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013DD8C4 1_2_013DD8C4
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013E3361 1_2_013E3361
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013DEA3A 1_2_013DEA3A
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013DE605 1_2_013DE605
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: String function: 013D2BE0 appears 39 times
Source: triage_dropped_file.exe Virustotal: Detection: 46%
Source: triage_dropped_file.exe ReversingLabs: Detection: 53%
Source: C:\Users\user\Desktop\triage_dropped_file.exe File read: C:\Users\user\Desktop\triage_dropped_file.exe Jump to behavior
Source: triage_dropped_file.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\triage_dropped_file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\triage_dropped_file.exe "C:\Users\user\Desktop\triage_dropped_file.exe"
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnl
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Process created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnl
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnl Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Process created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnl Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Source: C:\Users\user\Desktop\triage_dropped_file.exe File created: C:\Users\user\AppData\Local\Temp\nspFB81.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.winEXE@5/4@0/0
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\triage_dropped_file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404ABB
Source: triage_dropped_file.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013D2C25 push ecx; ret 1_2_013D2C38
Source: C:\Users\user\Desktop\triage_dropped_file.exe File created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013D1F55 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_013D1F55
Source: C:\Users\user\Desktop\triage_dropped_file.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\triage_dropped_file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe API coverage: 8.9 %
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\triage_dropped_file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013D24C0 _memset,IsDebuggerPresent, 1_2_013D24C0
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013D677A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_013D677A
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013D2486 GetProcessHeap, 1_2_013D2486
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013D4D72 SetUnhandledExceptionFilter, 1_2_013D4D72
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013D4DA3 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_013D4DA3
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Process created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnl Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: EnumSystemLocalesW, 1_2_013D915C
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_013E1148
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 1_2_013E1597
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW, 1_2_013E0DFB
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: GetLocaleInfoW, 1_2_013D91E2
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 1_2_013E11CB
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 1_2_013DD40C
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: EnumSystemLocalesW, 1_2_013E106F
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free, 1_2_013DBC4F
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free, 1_2_013D5496
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 1_2_013DC08F
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_013E14EA
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 1_2_013E10CB
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_013D8F7B
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 1_2_013E13C0
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 1_2_013E166B
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_013DC691
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013D802C cpuid 1_2_013D802C
Source: C:\Users\user\Desktop\triage_dropped_file.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe Code function: 1_2_013D463A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_013D463A

Stealing of Sensitive Information

barindex
Source: Yara match File source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
No contacted IP infos