Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
triage_dropped_file

Overview

General Information

Sample Name:triage_dropped_file (renamed file extension from none to exe)
Analysis ID:626069
MD5:b4d7d6d6011c12dcf1b42707119c74d3
SHA1:069786f6de361532ae83b522880c7cad7c605a27
SHA256:8e62347e7263d99c7d06bdd30fcea60c79acfff55b199e89df0d99d408ec24ec
Tags:exexloader
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • triage_dropped_file.exe (PID: 5744 cmdline: "C:\Users\user\Desktop\triage_dropped_file.exe" MD5: B4D7D6D6011C12DCF1B42707119C74D3)
    • qcoewlbpwb.exe (PID: 3340 cmdline: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnl MD5: F8422B67FF9E3AB629A35142CC918711)
      • qcoewlbpwb.exe (PID: 5964 cmdline: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnl MD5: F8422B67FF9E3AB629A35142CC918711)
  • cleanup
{"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}
SourceRuleDescriptionAuthorStrings
00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    SourceRuleDescriptionAuthorStrings
    1.2.qcoewlbpwb.exe.1410000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
      1.2.qcoewlbpwb.exe.1410000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      1.2.qcoewlbpwb.exe.1410000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
      • 0x16bec:$sqlite3step: 68 34 1C 7B E1
      • 0x16b08:$sqlite3text: 68 38 2A 90 C5
      • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
      • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
      1.2.qcoewlbpwb.exe.1410000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.qcoewlbpwb.exe.1410000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 1 entries
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cortesdisenosroutercnc.com/itq4/"], "decoy": ["worklocalcortland.com", "hostydom.tech", "ittakegenius.com", "clarisfixion.com", "totalzerosband.com", "shop-for-432.club", "exploremytruth.com", "skarpaknivar.com", "teknikunsur.net", "shoppingclick.online", "808gang.net", "solobookings.com", "mikunandina.com", "insumedkap.com", "kingdomcell.com", "qabetalive838475.com", "foxyreal.website", "filmweltruhr.com", "pokibar.com", "girassolpresentes.com", "rprent.com", "klatch22.com", "qam3.com", "bbuur.com", "grandmino.com", "windowcontractor.info", "myownstack.com", "suprebahia.com", "amaliebeac.space", "rugggedclassicvinyl.com", "thevillagetour.com", "obsoletely.xyz", "fintell.online", "mychianfts.net", "skillingyousoftly.com", "mejicat.com", "tntpowerspeedagility.com", "richardklewis.store", "yourdmvhometeam.com", "citestaccnt1631545392.com", "weddingbyneus.com", "mbkjewelry.com", "shubhamsports.com", "bountyhub.xyz", "heritage.solar", "vitalorganicbarsoap.com", "cloandjoe.com", "royalluxextensions.com", "lbrzandvoort.com", "knowmust.xyz", "okpu.top", "balanz.kitchen", "buggy4t.com", "gownstevensond.com", "f4w6.claims", "workingfromgarden.com", "foryourtinyhuman.com", "preventbiotech.com", "happyklikshop.com", "tuyenxanh.com", "lift2.cloud", "skazhiraku.net", "purpleatticexperiment.com", "freebtc.pro"]}
        Source: triage_dropped_file.exeVirustotal: Detection: 46%Perma Link
        Source: triage_dropped_file.exeReversingLabs: Detection: 53%
        Source: Yara matchFile source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: www.cortesdisenosroutercnc.com/itq4/Avira URL Cloud: Label: malware
        Source: www.cortesdisenosroutercnc.com/itq4/Virustotal: Detection: 9%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeVirustotal: Detection: 42%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeReversingLabs: Detection: 34%
        Source: triage_dropped_file.exeJoe Sandbox ML: detected
        Source: 1.2.qcoewlbpwb.exe.1410000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: triage_dropped_file.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: triage_dropped_file.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B

        Networking

        barindex
        Source: Malware configuration extractorURLs: www.cortesdisenosroutercnc.com/itq4/
        Source: triage_dropped_file.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040580F

        E-Banking Fraud

        barindex
        Source: Yara matchFile source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: triage_dropped_file.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013D1F551_2_013D1F55
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013E59171_2_013E5917
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013DDDB81_2_013DDDB8
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013D99B31_2_013D99B3
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013E2DF61_2_013E2DF6
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013E45EF1_2_013E45EF
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013E61D91_2_013E61D9
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013DE1D01_2_013DE1D0
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013E78441_2_013E7844
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013E38D31_2_013E38D3
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013DD8C41_2_013DD8C4
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013E33611_2_013E3361
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013DEA3A1_2_013DEA3A
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013DE6051_2_013DE605
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: String function: 013D2BE0 appears 39 times
        Source: triage_dropped_file.exeVirustotal: Detection: 46%
        Source: triage_dropped_file.exeReversingLabs: Detection: 53%
        Source: C:\Users\user\Desktop\triage_dropped_file.exeFile read: C:\Users\user\Desktop\triage_dropped_file.exeJump to behavior
        Source: triage_dropped_file.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\triage_dropped_file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\triage_dropped_file.exe "C:\Users\user\Desktop\triage_dropped_file.exe"
        Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnl
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeProcess created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnl
        Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnlJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeProcess created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnlJump to behavior
        Source: C:\Users\user\Desktop\triage_dropped_file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
        Source: C:\Users\user\Desktop\triage_dropped_file.exeFile created: C:\Users\user\AppData\Local\Temp\nspFB81.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.winEXE@5/4@0/0
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
        Source: C:\Users\user\Desktop\triage_dropped_file.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404ABB
        Source: triage_dropped_file.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013D2C25 push ecx; ret 1_2_013D2C38
        Source: C:\Users\user\Desktop\triage_dropped_file.exeFile created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013D1F55 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_013D1F55
        Source: C:\Users\user\Desktop\triage_dropped_file.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-12761
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeAPI coverage: 8.9 %
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
        Source: C:\Users\user\Desktop\triage_dropped_file.exeAPI call chain: ExitProcess graph end nodegraph_0-3509
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeAPI call chain: ExitProcess graph end nodegraph_1-12763
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013D24C0 _memset,IsDebuggerPresent,1_2_013D24C0
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013D677A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_013D677A
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013D2486 GetProcessHeap,1_2_013D2486
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013D4D72 SetUnhandledExceptionFilter,1_2_013D4D72
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013D4DA3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_013D4DA3
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeProcess created: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exe C:\Users\user\AppData\Local\Temp\tznfsiydnlJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: EnumSystemLocalesW,1_2_013D915C
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_013E1148
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: GetLocaleInfoW,_GetPrimaryLen,1_2_013E1597
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,1_2_013E0DFB
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: GetLocaleInfoW,1_2_013D91E2
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,1_2_013E11CB
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,1_2_013DD40C
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: EnumSystemLocalesW,1_2_013E106F
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,1_2_013DBC4F
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,1_2_013D5496
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,1_2_013DC08F
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_013E14EA
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_013E10CB
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,1_2_013D8F7B
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,1_2_013E13C0
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,1_2_013E166B
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_013DC691
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013D802C cpuid 1_2_013D802C
        Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
        Source: C:\Users\user\AppData\Local\Temp\qcoewlbpwb.exeCode function: 1_2_013D463A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_013D463A

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 1.2.qcoewlbpwb.exe.1410000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.qcoewlbpwb.exe.1410000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.247083101.0000000001410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Native API
        Path Interception1
        Access Token Manipulation
        1
        Access Token Manipulation
        OS Credential Dumping1
        System Time Discovery
        Remote Services1
        Archive Collected Data
        Exfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        System Shutdown/Reboot
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
        Process Injection
        11
        Process Injection
        LSASS Memory1
        Query Registry
        Remote Desktop Protocol1
        Clipboard Data
        Exfiltration Over Bluetooth1
        Application Layer Protocol
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Deobfuscate/Decode Files or Information
        Security Account Manager13
        Security Software Discovery
        SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
        Obfuscated Files or Information
        NTDS2
        File and Directory Discovery
        Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Software Packing
        LSA Secrets24
        System Information Discovery
        SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 626069