Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.7507

Overview

General Information

Sample Name: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.7507 (renamed file extension from 7507 to exe)
Analysis ID: 631792
MD5: dabc6f0c75c134e5310ba3526adba833
SHA1: 854ec103a64182c97e8f25e45da04889dbbbf3ff
SHA256: 9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf
Tags: exe
Infos:

Detection

AveMaria, UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Creates processes via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
Drops script or batch files to the startup folder
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Contains functionality to create processes via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Hides user accounts
Contains functionality to steal e-mail passwords
Found evasive API chain checking for user administrative privileges
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates files in alternative data streams (ADS)
Found decision node followed by non-executed suspicious APIs
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to download and execute PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Spawns drivers
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Internet Provider seen in connection with other malware
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Contains capabilities to detect virtual machines
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Program Files\Microsoft DN1\sqlmap.dll Avira: detection malicious, Label: PUA/Remoteadmin.AR
Found malware configuration
Source: 4.2.images.exe.22e053f.3.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "23.227.202.157", "port": 8080}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe ReversingLabs: Detection: 24%
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Program Files\Microsoft DN1\sqlmap.dll Virustotal: Detection: 49% Perma Link
Source: C:\Program Files\Microsoft DN1\sqlmap.dll Metadefender: Detection: 20% Perma Link
Source: C:\Program Files\Microsoft DN1\sqlmap.dll ReversingLabs: Detection: 50%
Source: C:\ProgramData:ApplicationData ReversingLabs: Detection: 24%
Source: C:\ProgramData\images.exe ReversingLabs: Detection: 24%
Machine Learning detection for sample
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\ProgramData:ApplicationData Joe Sandbox ML: detected
Source: C:\ProgramData\images.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack Avira: Label: TR/Redcap.ghjpt
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.732e68.2.unpack Avira: Label: TR/Patched.Ren.Gen3
Source: 4.3.images.exe.732cb8.3.unpack Avira: Label: TR/Patched.Ren.Gen3
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack Avira: Label: TR/Patched.Ren.Gen3
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.732e68.6.unpack Avira: Label: TR/Patched.Ren.Gen3
Source: 4.3.images.exe.732cb8.7.unpack Avira: Label: TR/Patched.Ren.Gen3
Source: 4.2.images.exe.22e053f.3.unpack Avira: Label: TR/Patched.Ren.Gen3
Source: 4.2.images.exe.2ce0000.4.unpack Avira: Label: TR/Redcap.ghjpt
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1CAFC CryptUnprotectData,LocalAlloc,LocalFree, 0_2_02D1CAFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1B15E lstrlenA,CryptStringToBinaryA,lstrcpyA, 0_2_02D1B15E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 0_2_02D1A632
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1CF58 LocalAlloc,BCryptDecrypt,LocalFree, 0_2_02D1CF58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 0_2_02D1CCB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 0_2_02D1CC54

Exploits
barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252571359.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe PID: 6324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: images.exe PID: 6516, type: MEMORYSTR
Uses 32bit PE files
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: C:\ProgramData\images.exe Directory created: C:\Program Files\Microsoft DN1\sqlmap.dll Jump to behavior
Source: C:\ProgramData\images.exe Directory created: C:\Program Files\Microsoft DN1\rdpwrap.ini Jump to behavior
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wuser32.pdb source: images.exe, images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wuser32.pdbUGP source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D2002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 0_2_02D2002B
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0040FD34 FindFirstFileExA, 0_2_0040FD34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0040FE55 FindFirstFileExA,FindClose, 0_2_0040FE55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1FF27 FindFirstFileW,FindNextFileW, 0_2_02D1FF27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D19DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 0_2_02D19DF6

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2841903 ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 23.227.202.157:8080 -> 192.168.2.3:49740
Source: Traffic Snort IDS: 2834979 ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin 192.168.2.3:49740 -> 23.227.202.157:8080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 23.227.202.157
Contains functionality to download and execute PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D127D3 URLDownloadToFileW,ShellExecuteW, 0_2_02D127D3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HVC-ASUS HVC-ASUS
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49740 -> 23.227.202.157:8080
Source: powershell.exe, 00000006.00000003.407047557.00000000076DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000001.00000003.377239509.00000000075FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.384190535.00000000075FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.microsof
Source: powershell.exe, 00000006.00000002.409620051.0000000004601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000006.00000002.409298369.00000000044C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.409620051.0000000004601000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: sqlmap.dll.4.dr String found in binary or memory: http://stascorp.comDVarFileInfo$
Source: powershell.exe, 00000001.00000003.342861149.0000000008D06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: images.exe, 00000004.00000002.525619079.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: images.exe, 00000004.00000002.525619079.0000000004AE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1F23D recv,recv, 0_2_02D1F23D
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157
Source: unknown TCP traffic detected without corresponding DNS query: 23.227.202.157

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\ProgramData\images.exe Windows user hook set: 0 keyboard low level C:\ProgramData\images.exe Jump to behavior
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D189D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx, 0_2_02D189D5
Installs a raw input device (often for capturing keystrokes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1902E DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices, 0_2_02D1902E

E-Banking Fraud
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Contains functionality to create processes via WMI
Source: WMIC.exe, 0000000D.00000002.288337503.000001B74FE00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C:\Windows\System32\Wbem\WMIC.exewmic process call create '"C:\ProgramData:ApplicationData"'wmic process call create '"C:\ProgramData:ApplicationData"'Winsta0\Default
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00415808 0_2_00415808
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00412922 0_2_00412922
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00412480 0_2_00412480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00416D23 0_2_00416D23
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_004156DB 0_2_004156DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0040B784 0_2_0040B784
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D21BF8 0_2_02D21BF8
Source: C:\ProgramData\images.exe Code function: 4_3_02F542D0 4_3_02F542D0
Source: C:\ProgramData\images.exe Code function: 4_3_02F91AA0 4_3_02F91AA0
Source: C:\ProgramData\images.exe Code function: 4_3_02F86B50 4_3_02F86B50
Source: C:\ProgramData\images.exe Code function: 4_3_02F45AB0 4_3_02F45AB0
Tries to load missing DLLs
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmi.dll Jump to behavior
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files\Microsoft DN1\sqlmap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
Uses 32bit PE files
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.252571359.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: String function: 00407FC0 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: String function: 02D20969 appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: String function: 02D135E5 appears 40 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000000.242916125.0000000000554000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameATLDUCK.DLL> vs SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameATLDUCK.DLL> vs SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Binary or memory string: OriginalFilenameATLDUCK.DLL> vs SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\Users\user\AppData\Local\Microsoft Vision\ Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@18/18@0/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_02D1D49C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00406750 LoadResource,LockResource,SizeofResource, 0_2_00406750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat" "
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe ReversingLabs: Detection: 24%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat" "
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create '"C:\ProgramData:ApplicationData"'
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe Jump to behavior
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\ Jump to behavior
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create '"C:\ProgramData:ApplicationData"' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 0_2_02D1F619
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_caqnsxdv.wy2.ps1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D2290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize, 0_2_02D2290F
Source: C:\ProgramData\images.exe Code function: 4_3_02F494E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free, 4_3_02F494E0
Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D220B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_02D220B8
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
Source: C:\ProgramData\images.exe File written: C:\Program Files\Microsoft DN1\rdpwrap.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\ProgramData\images.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: C:\ProgramData\images.exe Directory created: C:\Program Files\Microsoft DN1\sqlmap.dll Jump to behavior
Source: C:\ProgramData\images.exe Directory created: C:\Program Files\Microsoft DN1\rdpwrap.ini Jump to behavior
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wuser32.pdb source: images.exe, images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wuser32.pdbUGP source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00408010 push ecx; ret 0_2_00408023
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0041C352 pushad ; retf 0_2_0041C359
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0041D355 push esi; ret 0_2_0041D35E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0041C33A push esp; retf 0_2_0041C351
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D11190 push eax; ret 0_2_02D111A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D11190 push eax; ret 0_2_02D111CC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00553B50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00553B50
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Contains functionality to create new users
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1D418 NetUserAdd,NetLocalGroupAddMembers, 0_2_02D1D418
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\ProgramData\images.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\ProgramData:ApplicationData Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\ProgramData:ApplicationData Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\ProgramData\images.exe Jump to dropped file
Source: C:\ProgramData\images.exe File created: C:\Program Files\Microsoft DN1\sqlmap.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\ProgramData:ApplicationData Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D127D3 URLDownloadToFileW,ShellExecuteW, 0_2_02D127D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 0_2_02D1A6C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 0_2_02D1AC0A

Boot Survival
barindex
Drops script or batch files to the startup folder
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start Jump to behavior
Modifies existing windows services
Source: C:\ProgramData\images.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat Jump to behavior
Creates or modifies windows services
Source: C:\Windows\System32\drivers\tsusbhub.sys Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_02D1D508

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe, 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe, 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Hides user accounts
Source: C:\ProgramData\images.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList GEAzbtF Jump to behavior
Creates files in alternative data streams (ADS)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain checking for user administrative privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Check user administrative privileges: IsUserAndAdmin, DecisionNode
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe TID: 6364 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6672 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\images.exe TID: 6520 Thread sleep count: 94 > 30 Jump to behavior
Source: C:\ProgramData\images.exe TID: 6520 Thread sleep time: -75200s >= -30000s Jump to behavior
Source: C:\ProgramData\images.exe TID: 6704 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6380 Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2492 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 7112 Thread sleep count: 853 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 7112 Thread sleep time: -10236000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 0_2_02D1DA5B
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4887 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1233 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4936
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 702
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 853 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found dropped PE file which has not been started or loaded
Source: C:\ProgramData\images.exe Dropped PE file which has not been started: C:\Program Files\Microsoft DN1\sqlmap.dll Jump to dropped file
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wbem\WmiPrvSE.exe File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\wbem\WmiPrvSE.exe File opened: PHYSICALDRIVE0 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D2002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 0_2_02D2002B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: powershell.exe, 00000001.00000003.378873631.0000000004BFF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmp, images.exe, 00000004.00000002.520447296.000000000054A000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: .?AVCRegistryVirtualMachine@ATL@@
Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmp, images.exe, 00000004.00000002.520447296.000000000054A000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: A.?AVCRegistryVirtualMachine@ATL@@l
Source: powershell.exe, 00000001.00000003.378873631.0000000004BFF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0040AAE3 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 0_2_0040AAE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0040FD34 FindFirstFileExA, 0_2_0040FD34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0040FE55 FindFirstFileExA,FindClose, 0_2_0040FE55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1FF27 FindFirstFileW,FindNextFileW, 0_2_02D1FF27
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D19DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 0_2_02D19DF6
Source: C:\Windows\System32\drivers\tsusbhub.sys System information queried: ModuleInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00553B50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00553B50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0040FB09 mov eax, dword ptr fs:[00000030h] 0_2_0040FB09
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0040C40E mov eax, dword ptr fs:[00000030h] 0_2_0040C40E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D2094E mov eax, dword ptr fs:[00000030h] 0_2_02D2094E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D20619 mov eax, dword ptr fs:[00000030h] 0_2_02D20619
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D20620 mov eax, dword ptr fs:[00000030h] 0_2_02D20620
Source: C:\Windows\SysWOW64\cmd.exe Code function: 8_2_0326001A mov eax, dword ptr fs:[00000030h] 8_2_0326001A
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00407269 IsDebuggerPresent,OutputDebugStringW, 0_2_00407269
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0040AAE3 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C 0_2_0040AAE3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00410931 GetProcessHeap, 0_2_00410931
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\images.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00407F52 SetUnhandledExceptionFilter, 0_2_00407F52
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_004079AA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004079AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00407DBF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00407DBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0040A7A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040A7A3

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\ProgramData\images.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 3260000 protect: page execute and read and write Jump to behavior
Source: C:\ProgramData\images.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 3280000 protect: page read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\ProgramData\images.exe Thread created: C:\Windows\SysWOW64\cmd.exe EIP: 326010E Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\ Jump to behavior
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\ Jump to behavior
Writes to foreign memory regions
Source: C:\ProgramData\images.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 3260000 Jump to behavior
Source: C:\ProgramData\images.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 3280000 Jump to behavior
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D179E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 0_2_02D179E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D21FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 0_2_02D21FD8
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 0_2_02D220B8
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create '"C:\ProgramData:ApplicationData"' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D1F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid, 0_2_02D1F56D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_02D218BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError, 0_2_02D218BA
Source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: GetProgmanWindow
Source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: SetProgmanWindow
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_00408024 cpuid 0_2_00408024
Source: C:\ProgramData\images.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: 0_2_0040826B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0040826B
Source: C:\ProgramData\images.exe Code function: 4_3_02F494E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free, 4_3_02F494E0

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Increases the number of concurrent connection per server for Internet Explorer
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10 Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\ProgramData\images.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\ProgramData\images.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Contains functionality to steal e-mail passwords
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: POP3 Password 0_2_02D1A29A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: SMTP Password 0_2_02D1A29A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: IMAP Password 0_2_02D1A29A
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: \Google\Chrome\User Data\Default\Login Data 0_2_02D1C1B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe Code function: \Chromium\User Data\Default\Login Data 0_2_02D1C1B2
Yara detected Credential Stealer
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe PID: 6324, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: images.exe PID: 6516, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\ProgramData\images.exe Code function: 4_3_02F652D0 sqlite3_transfer_bindings, 4_3_02F652D0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 631792 Sample: SecuriteInfo.com.Gen.Varian... Startdate: 22/05/2022 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 8 SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe 4 8 2->8         started        12 cmd.exe 1 2->12         started        14 tsusbhub.sys 3 2->14         started        16 4 other processes 2->16 process3 file4 41 C:\ProgramData\images.exe, PE32 8->41 dropped 43 C:\ProgramData:ApplicationData, PE32 8->43 dropped 45 C:\Users\user\AppData\...\programs.bat:start, ASCII 8->45 dropped 47 2 other malicious files 8->47 dropped 69 Creates files in alternative data streams (ADS) 8->69 71 Drops script or batch files to the startup folder 8->71 73 Contains functionality to inject threads in other processes 8->73 75 5 other signatures 8->75 18 images.exe 5 9 8->18         started        23 powershell.exe 22 8->23         started        25 WMIC.exe 1 12->25         started        27 conhost.exe 12->27         started        signatures5 process6 dnsIp7 49 23.227.202.157, 49740, 8080 HVC-ASUS United States 18->49 39 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 18->39 dropped 59 Multi AV Scanner detection for dropped file 18->59 61 Hides user accounts 18->61 63 Tries to steal Mail credentials (via file / registry access) 18->63 67 7 other signatures 18->67 29 cmd.exe 1 18->29         started        31 powershell.exe 18->31         started        33 conhost.exe 23->33         started        65 Creates processes via WMI 25->65 file8 signatures9 process10 process11 35 conhost.exe 29->35         started        37 conhost.exe 31->37         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.227.202.157
 unknown United States
29802 HVC-ASUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
23.227.202.157 true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown