Windows Analysis Report
zwM7Oe2e1l

Overview

General Information

Sample Name:	zwM7Oe2e1l (renamed file extension from none to exe)
Analysis ID:	679156
MD5:	f1ab9ed37b68ace769dccaa693f162e0
SHA1:	4fc5eea47502e6ebf089910be10790614c4d4b54
SHA256:	b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a
Tags:	exeWoodyRAT
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Snort IDS alert for network traffic

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

PE file contains strange resources

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: zwM7Oe2e1l.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: zwM7Oe2e1l.exe	Virustotal: Detection: 59%	Perma Link
Source: zwM7Oe2e1l.exe	Metadefender: Detection: 14%	Perma Link
Source: zwM7Oe2e1l.exe	ReversingLabs: Detection: 61%

Source: zwM7Oe2e1l.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\hep2\build\c#\dll\WoodyPowerSession.pdb source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\cpp\x64\bin\WoodyNode.pdb@ source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\c#\dll\WoodySharpExecutor.pdb source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\cpp\x64\bin\WoodyNode.pdb source: zwM7Oe2e1l.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:55201 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:59293 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:58723 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:51971 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:56591 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:60350 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:51748 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:61116 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:50958 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:61607 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:56550 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:52858 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:59871 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:51194 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:54015 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:58689 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:53049 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:63104 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:65367 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:57669 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:55788 -> 8.8.8.8:53

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: zwM7Oe2e1l.exe, 00000002.00000003.504283286.000001F180265000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504433768.000001F180285000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584696071.000001F180285000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627384501.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530200851.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.557947549.000001F180277000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476972337.000001F180283000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530234039.000001F180277000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476900660.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449641977.000001F180283000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584591844.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627482009.000001F18027B000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.557786417.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449602137.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.399547079.000001F180280000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.422978366.000001F180281000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504420886.000001F18027C000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584630455.000001F180277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/
Source: zwM7Oe2e1l.exe, 00000002.00000003.584696071.000001F180285000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584630455.000001F180277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/d
Source: zwM7Oe2e1l.exe, 00000002.00000003.504433768.000001F180285000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476972337.000001F180283000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530234039.000001F180277000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504420886.000001F18027C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/e
Source: zwM7Oe2e1l.exe, 00000002.00000003.557772748.000001F180261000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530234039.000001F180277000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504276141.000001F180261000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476801924.000001F180237000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530110478.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476883519.000001F180261000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449653886.000001F18027F000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584585700.000001F180261000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627247814.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530193276.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449602137.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449519735.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.399547079.000001F180280000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.422978366.000001F180281000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504027968.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584550699.000001F180237000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476964147.000001F18027B000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449633913.000001F18027B000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627020793.000001F1801EB000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504420886.000001F18027C000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584630455.000001F180277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knock
Source: zwM7Oe2e1l.exe, 00000002.00000003.584585700.000001F180261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knock)0O
Source: zwM7Oe2e1l.exe, 00000002.00000003.449653886.000001F18027F000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449633913.000001F18027B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knock?.
Source: zwM7Oe2e1l.exe, 00000002.00000002.627362850.000001F180260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knockC3
Source: zwM7Oe2e1l.exe, 00000002.00000002.627247814.000001F180235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knockKkz
Source: zwM7Oe2e1l.exe, 00000002.00000003.422978366.000001F180281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knockq
Source: zwM7Oe2e1l.exe, 00000002.00000003.504420886.000001F18027C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knockr
Source: zwM7Oe2e1l.exe, 00000002.00000003.557540751.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584696071.000001F180285000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.557947549.000001F180277000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476801924.000001F180237000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530110478.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627247814.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449519735.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504027968.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584550699.000001F180237000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584630455.000001F180277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/m
Source: zwM7Oe2e1l.exe, 00000002.00000003.449602137.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476939167.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504317321.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584598044.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530208861.000001F180268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru:443/knockxGO6
Source: zwM7Oe2e1l.exe, 00000002.00000003.364691804.000001F180245000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627020793.000001F1801EB000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.369036380.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370920493.000001F180275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/
Source: zwM7Oe2e1l.exe, 00000002.00000003.367111100.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/6
Source: zwM7Oe2e1l.exe, 00000002.00000003.367111100.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.369408265.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.366618138.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370201861.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.371162191.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/Y
Source: zwM7Oe2e1l.exe, 00000002.00000003.369408265.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/ck
Source: zwM7Oe2e1l.exe, 00000002.00000003.365233268.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/ckW
Source: zwM7Oe2e1l.exe, 00000002.00000003.366094915.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/ckZ
Source: zwM7Oe2e1l.exe, 00000002.00000003.367781850.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.371141170.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.365233268.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.366085455.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.363930144.000001F180242000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370610227.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.365226384.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370146613.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.367767742.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.366094915.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370181710.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.369088197.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.368622773.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.367097339.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370920493.000001F180275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knock
Source: zwM7Oe2e1l.exe, 00000002.00000003.365226384.000001F180235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knock#f1
Source: zwM7Oe2e1l.exe, 00000002.00000003.371379761.000001F180275000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370920493.000001F180275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knock%)
Source: zwM7Oe2e1l.exe, 00000002.00000003.364275197.000001F180242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knockW
Source: zwM7Oe2e1l.exe, 00000002.00000003.364275197.000001F180242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knockZ
Source: zwM7Oe2e1l.exe, 00000002.00000003.368713421.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knockc
Source: zwM7Oe2e1l.exe, 00000002.00000003.369394137.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.367767742.000001F180235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knockd
Source: zwM7Oe2e1l.exe, 00000002.00000003.366085455.000001F180235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knocke
Source: zwM7Oe2e1l.exe, 00000002.00000003.369320038.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.369901342.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370610227.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370146613.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370920493.000001F180275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knocks)
Source: zwM7Oe2e1l.exe, 00000002.00000002.627020793.000001F1801EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/l
Source: zwM7Oe2e1l.exe, 00000002.00000003.369408265.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.368713421.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/r
Source: zwM7Oe2e1l.exe, 00000002.00000003.363930144.000001F180242000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.364275197.000001F180242000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.364691804.000001F180245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/x
Source: zwM7Oe2e1l.exe, 00000002.00000003.366020901.000001F180265000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.366905937.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.366530703.000001F180265000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru:443/knock
Source: zwM7Oe2e1l.exe, 00000002.00000003.449602137.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476939167.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504317321.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584598044.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530208861.000001F180268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mis77.ru/

Source: unknown

DNS traffic detected: queries for: microsoft-ru-data.ru

Sample file is different than original file name gathered from version info

Source: zwM7Oe2e1l.exe, 00000002.00000000.362317260.00007FF7C400B000.00000008.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameWoodySharpExecutor.dllF vs zwM7Oe2e1l.exe
Source: zwM7Oe2e1l.exe, 00000002.00000000.362317260.00007FF7C400B000.00000008.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameWoodyPowerSession.dllD vs zwM7Oe2e1l.exe
Source: zwM7Oe2e1l.exe, 00000002.00000002.627759857.00007FF7C400F000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameWoodyPowerSession.dllD vs zwM7Oe2e1l.exe
Source: zwM7Oe2e1l.exe	Binary or memory string: OriginalFilenameWoodySharpExecutor.dllF vs zwM7Oe2e1l.exe
Source: zwM7Oe2e1l.exe	Binary or memory string: OriginalFilenameWoodyPowerSession.dllD vs zwM7Oe2e1l.exe

PE file contains strange resources

Source: zwM7Oe2e1l.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zwM7Oe2e1l.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zwM7Oe2e1l.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: zwM7Oe2e1l.exe	Virustotal: Detection: 59%
Source: zwM7Oe2e1l.exe	Metadefender: Detection: 14%
Source: zwM7Oe2e1l.exe	ReversingLabs: Detection: 61%

Source: zwM7Oe2e1l.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zwM7Oe2e1l.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%

Source: classification engine

Classification label: mal72.winEXE@1/0@21/2

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: zwM7Oe2e1l.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: zwM7Oe2e1l.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: zwM7Oe2e1l.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\hep2\build\c#\dll\WoodyPowerSession.pdb source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\cpp\x64\bin\WoodyNode.pdb@ source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\c#\dll\WoodySharpExecutor.pdb source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\cpp\x64\bin\WoodyNode.pdb source: zwM7Oe2e1l.exe

Source: zwM7Oe2e1l.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: zwM7Oe2e1l.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: zwM7Oe2e1l.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: zwM7Oe2e1l.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: zwM7Oe2e1l.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: zwM7Oe2e1l.exe

Static PE information: section name: _RDATA

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon1069.png

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe TID: 1072	Thread sleep time: -1200000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe TID: 5764	Thread sleep time: -390000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Thread delayed: delay time: 1200000

Jump to behavior

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Thread delayed: delay time: 1200000

Jump to behavior

Source: zwM7Oe2e1l.exe, 00000002.00000003.422943147.000001F180299000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627564287.000001F180298000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584421261.000001F18029A000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476693285.000001F180299000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.557214968.000001F18029A000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.396709540.000001F180292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWm
Source: zwM7Oe2e1l.exe, 00000002.00000002.627384501.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530200851.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476900660.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584591844.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.557786417.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449602137.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627020793.000001F1801EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.87.218.140	fns77.ru	Russian Federation		197695	AS-REGRU	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
fns77.ru	194.87.218.140	true
microsoft-ru-data.ru	unknown	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: zwM7Oe2e1l.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: zwM7Oe2e1l.exe	Virustotal: Detection: 59%	Perma Link
Source: zwM7Oe2e1l.exe	Metadefender: Detection: 14%	Perma Link
Source: zwM7Oe2e1l.exe	ReversingLabs: Detection: 61%

Source: zwM7Oe2e1l.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\hep2\build\c#\dll\WoodyPowerSession.pdb source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\cpp\x64\bin\WoodyNode.pdb@ source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\c#\dll\WoodySharpExecutor.pdb source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\cpp\x64\bin\WoodyNode.pdb source: zwM7Oe2e1l.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:55201 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:59293 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:58723 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:51971 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:56591 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:60350 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:51748 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:61116 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:50958 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:61607 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037937 ET TROJAN Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup 192.168.2.6:56550 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:52858 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:59871 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:51194 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:54015 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:58689 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:53049 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:63104 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:65367 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:57669 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2037938 ET TROJAN Woody RAT CnC Domain (fns77 .ru) in DNS Lookup 192.168.2.6:55788 -> 8.8.8.8:53

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: zwM7Oe2e1l.exe, 00000002.00000003.504283286.000001F180265000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504433768.000001F180285000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584696071.000001F180285000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627384501.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530200851.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.557947549.000001F180277000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476972337.000001F180283000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530234039.000001F180277000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476900660.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449641977.000001F180283000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584591844.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627482009.000001F18027B000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.557786417.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449602137.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.399547079.000001F180280000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.422978366.000001F180281000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504420886.000001F18027C000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584630455.000001F180277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/
Source: zwM7Oe2e1l.exe, 00000002.00000003.584696071.000001F180285000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584630455.000001F180277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/d
Source: zwM7Oe2e1l.exe, 00000002.00000003.504433768.000001F180285000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476972337.000001F180283000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530234039.000001F180277000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504420886.000001F18027C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/e
Source: zwM7Oe2e1l.exe, 00000002.00000003.557772748.000001F180261000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530234039.000001F180277000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504276141.000001F180261000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476801924.000001F180237000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530110478.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476883519.000001F180261000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449653886.000001F18027F000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584585700.000001F180261000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627247814.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530193276.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449602137.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449519735.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.399547079.000001F180280000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.422978366.000001F180281000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504027968.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584550699.000001F180237000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476964147.000001F18027B000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449633913.000001F18027B000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627020793.000001F1801EB000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504420886.000001F18027C000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584630455.000001F180277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knock
Source: zwM7Oe2e1l.exe, 00000002.00000003.584585700.000001F180261000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knock)0O
Source: zwM7Oe2e1l.exe, 00000002.00000003.449653886.000001F18027F000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449633913.000001F18027B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knock?.
Source: zwM7Oe2e1l.exe, 00000002.00000002.627362850.000001F180260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knockC3
Source: zwM7Oe2e1l.exe, 00000002.00000002.627247814.000001F180235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knockKkz
Source: zwM7Oe2e1l.exe, 00000002.00000003.422978366.000001F180281000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knockq
Source: zwM7Oe2e1l.exe, 00000002.00000003.504420886.000001F18027C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/knockr
Source: zwM7Oe2e1l.exe, 00000002.00000003.557540751.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584696071.000001F180285000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.557947549.000001F180277000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476801924.000001F180237000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530110478.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627247814.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449519735.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504027968.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584550699.000001F180237000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584630455.000001F180277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru/m
Source: zwM7Oe2e1l.exe, 00000002.00000003.449602137.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476939167.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504317321.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584598044.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530208861.000001F180268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fns77.ru:443/knockxGO6
Source: zwM7Oe2e1l.exe, 00000002.00000003.364691804.000001F180245000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627020793.000001F1801EB000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.369036380.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370920493.000001F180275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/
Source: zwM7Oe2e1l.exe, 00000002.00000003.367111100.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/6
Source: zwM7Oe2e1l.exe, 00000002.00000003.367111100.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.369408265.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.366618138.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370201861.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.371162191.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/Y
Source: zwM7Oe2e1l.exe, 00000002.00000003.369408265.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/ck
Source: zwM7Oe2e1l.exe, 00000002.00000003.365233268.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/ckW
Source: zwM7Oe2e1l.exe, 00000002.00000003.366094915.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/ckZ
Source: zwM7Oe2e1l.exe, 00000002.00000003.367781850.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.371141170.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.365233268.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.366085455.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.363930144.000001F180242000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370610227.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.365226384.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370146613.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.367767742.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.366094915.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370181710.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.369088197.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.368622773.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.367097339.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370920493.000001F180275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knock
Source: zwM7Oe2e1l.exe, 00000002.00000003.365226384.000001F180235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knock#f1
Source: zwM7Oe2e1l.exe, 00000002.00000003.371379761.000001F180275000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370920493.000001F180275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knock%)
Source: zwM7Oe2e1l.exe, 00000002.00000003.364275197.000001F180242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knockW
Source: zwM7Oe2e1l.exe, 00000002.00000003.364275197.000001F180242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knockZ
Source: zwM7Oe2e1l.exe, 00000002.00000003.368713421.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knockc
Source: zwM7Oe2e1l.exe, 00000002.00000003.369394137.000001F180235000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.367767742.000001F180235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knockd
Source: zwM7Oe2e1l.exe, 00000002.00000003.366085455.000001F180235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knocke
Source: zwM7Oe2e1l.exe, 00000002.00000003.369320038.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.369901342.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370610227.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370146613.000001F180278000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.370920493.000001F180275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/knocks)
Source: zwM7Oe2e1l.exe, 00000002.00000002.627020793.000001F1801EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/l
Source: zwM7Oe2e1l.exe, 00000002.00000003.369408265.000001F180247000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.368713421.000001F180247000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/r
Source: zwM7Oe2e1l.exe, 00000002.00000003.363930144.000001F180242000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.364275197.000001F180242000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.364691804.000001F180245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru/x
Source: zwM7Oe2e1l.exe, 00000002.00000003.366020901.000001F180265000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.366905937.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.366530703.000001F180265000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft-ru-data.ru:443/knock
Source: zwM7Oe2e1l.exe, 00000002.00000003.449602137.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476939167.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.504317321.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584598044.000001F180268000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530208861.000001F180268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mis77.ru/

Source: unknown

DNS traffic detected: queries for: microsoft-ru-data.ru

Sample file is different than original file name gathered from version info

Source: zwM7Oe2e1l.exe, 00000002.00000000.362317260.00007FF7C400B000.00000008.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameWoodySharpExecutor.dllF vs zwM7Oe2e1l.exe
Source: zwM7Oe2e1l.exe, 00000002.00000000.362317260.00007FF7C400B000.00000008.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameWoodyPowerSession.dllD vs zwM7Oe2e1l.exe
Source: zwM7Oe2e1l.exe, 00000002.00000002.627759857.00007FF7C400F000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameWoodyPowerSession.dllD vs zwM7Oe2e1l.exe
Source: zwM7Oe2e1l.exe	Binary or memory string: OriginalFilenameWoodySharpExecutor.dllF vs zwM7Oe2e1l.exe
Source: zwM7Oe2e1l.exe	Binary or memory string: OriginalFilenameWoodyPowerSession.dllD vs zwM7Oe2e1l.exe

PE file contains strange resources

Source: zwM7Oe2e1l.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zwM7Oe2e1l.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zwM7Oe2e1l.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: zwM7Oe2e1l.exe	Virustotal: Detection: 59%
Source: zwM7Oe2e1l.exe	Metadefender: Detection: 14%
Source: zwM7Oe2e1l.exe	ReversingLabs: Detection: 61%

Source: zwM7Oe2e1l.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zwM7Oe2e1l.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%

Source: classification engine

Classification label: mal72.winEXE@1/0@21/2

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: zwM7Oe2e1l.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: zwM7Oe2e1l.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: zwM7Oe2e1l.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: zwM7Oe2e1l.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\hep2\build\c#\dll\WoodyPowerSession.pdb source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\cpp\x64\bin\WoodyNode.pdb@ source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\c#\dll\WoodySharpExecutor.pdb source: zwM7Oe2e1l.exe
Source:	Binary string: C:\hep2\build\cpp\x64\bin\WoodyNode.pdb source: zwM7Oe2e1l.exe

Source: zwM7Oe2e1l.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: zwM7Oe2e1l.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: zwM7Oe2e1l.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: zwM7Oe2e1l.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: zwM7Oe2e1l.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: zwM7Oe2e1l.exe

Static PE information: section name: _RDATA

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon1069.png

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe TID: 1072	Thread sleep time: -1200000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe TID: 5764	Thread sleep time: -390000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Thread delayed: delay time: 1200000

Jump to behavior

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Thread delayed: delay time: 1200000

Jump to behavior

Source: zwM7Oe2e1l.exe, 00000002.00000003.422943147.000001F180299000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627564287.000001F180298000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584421261.000001F18029A000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476693285.000001F180299000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.557214968.000001F18029A000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.396709540.000001F180292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWm
Source: zwM7Oe2e1l.exe, 00000002.00000002.627384501.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.530200851.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.476900660.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.584591844.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.557786417.000001F180264000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000003.449602137.000001F180260000.00000004.00000020.00020000.00000000.sdmp, zwM7Oe2e1l.exe, 00000002.00000002.627020793.000001F1801EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\zwM7Oe2e1l.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	679156
Product:	CloudBasic
Start time:	11:01:41
Start date:	05.08.2022
Sample:	zwM7Oe2e1l
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f1ab9ed37b68ace769dccaa693f162e0
SHA1:	4fc5eea47502e6ebf089910be10790614c4d4b54
SHA256:	b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a
Filetype:	Win64 Executable GUI Net Framework (217006/5) 47.53%

Windows Analysis Report
zwM7Oe2e1l

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report zwM7Oe2e1l

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
zwM7Oe2e1l