Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ou0ZT4968y.exe

Overview

General Information

Sample Name:Ou0ZT4968y.exe
Analysis ID:753418
MD5:27b75158dcfeba6b3419bdbb15397584
SHA1:8a135c4fc3fa7e06bf29537f9cb0298cc2f1c1de
SHA256:a6ffd97ca5d47f2251a53ccd3ab891a9fec5b7d0f316b4c11e7d88f19765b1b4
Tags:32exetrojan
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Allocates memory in foreign processes
Tries to harvest and steal browser information (history, passwords, etc)
Injects a PE file into a foreign processes
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • Ou0ZT4968y.exe (PID: 1308 cmdline: C:\Users\user\Desktop\Ou0ZT4968y.exe MD5: 27B75158DCFEBA6B3419BDBB15397584)
    • conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vbc.exe (PID: 60 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • WerFault.exe (PID: 4972 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Ou0ZT4968y.exeVirustotal: Detection: 34%Perma Link
Source: Ou0ZT4968y.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Ou0ZT4968y.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Set-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: tVSet-CookieCookie:www.youtube.comLOGIN_INFOstudio.youtube.com\u003d=%3DPAGE_CLINNERTUBE_API_KEYPAGE_BUILD_LABELINNERTUBE_CONTEXT_CLIENT_NAMEINNERTUBE_CONTEXT_CLIENT_VERSIONINNERTUBE_CONTEXT_SERIALIZED_DELEGATION_CONTEXTINNERTUBE_CONTEXT_GLINNERTUBE_CONTEXT_HLproductVersionVISITOR_DATAXSRF_TOKENCHANNEL_ID equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exeString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Ou0ZT4968y.exe, 00000000.00000000.330263752.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://studio.youtube.com
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://studio.youtube.com/reauth
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://studio.youtube.comSAPISIDHASH
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://studio.youtube.comX-Originapplication/jsonContent-TypesessionTokenctx
Source: Ou0ZT4968y.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B24140_2_009B2414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B510A0_2_009B510A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B35CB0_2_009B35CB
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B510F0_2_009B510F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B1E2E0_2_009B1E2E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B22700_2_009B2270
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B33A50_2_009B33A5
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B278E0_2_009B278E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B5ECF0_2_009B5ECF
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B5F740_2_009B5F74
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_00A31D690_2_00A31D69
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B1E1A0_2_009B1E1A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B1A730_2_009B1A73
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B11540_2_009B1154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B11540_2_009B1154
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B2DBA0_2_009B2DBA
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B33780_2_009B3378
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B4C0F0_2_009B4C0F
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B13AC0_2_009B13AC
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B25A40_2_009B25A4
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B2EA00_2_009B2EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B44620_2_009B4462
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B2EA00_2_009B2EA0
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B24140_2_009B2414
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B28380_2_009B2838
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: String function: 009B2F36 appears 93 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: String function: 009B21BC appears 45 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: String function: 009B4FC0 appears 70 times
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: String function: 00A2BD8D appears 31 times
Source: Ou0ZT4968y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0x100 address: 0x0
Source: Ou0ZT4968y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE size: 0x100 address: 0x0
Source: Ou0ZT4968y.exeVirustotal: Detection: 34%
Source: Ou0ZT4968y.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Ou0ZT4968y.exe C:\Users\user\Desktop\Ou0ZT4968y.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\DmAaAaAa__shmem3_winpthreads_tdm_
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\DmAaAaAa__eh_shmem3_gcc_tdm_
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBFE.tmpJump to behavior
Source: classification engineClassification label: mal64.spyw.evad.winEXE@5/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Ou0ZT4968y.exe, Ou0ZT4968y.exe, 00000000.00000003.327858560.000000000163F000.00000040.00001000.00020000.00000000.sdmp, Ou0ZT4968y.exe, 00000000.00000000.329876831.0000000000A6A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Ou0ZT4968y.exeStatic file information: File size 3838464 > 1048576
Source: Ou0ZT4968y.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x2e8000
Source: Ou0ZT4968y.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Ou0ZT4968y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \Downloads\Documents\3pqvu\outpu2.pdb source: Ou0ZT4968y.exe
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B2158 push ecx; ret 0_2_009E86D3
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009E71C7 push ecx; ret 0_2_009E71DA
Source: Ou0ZT4968y.exeStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009C0C7A LoadLibraryA,LoadLibraryA,GetProcAddress,0_2_009C0C7A
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeAPI coverage: 3.6 %
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009B384B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B302B mov eax, dword ptr fs:[00000030h]0_2_009B302B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B4827 mov eax, dword ptr fs:[00000030h]0_2_009B4827
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B1A64 mov eax, dword ptr fs:[00000030h]0_2_009B1A64
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_00A22752 mov eax, dword ptr fs:[00000030h]0_2_00A22752
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009C0C7A LoadLibraryA,LoadLibraryA,GetProcAddress,0_2_009C0C7A
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B5D94 GetProcessHeap,0_2_009B5D94
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009C0375 LdrInitializeThunk,0_2_009C0375
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B384B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009B384B
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009B579A SetUnhandledExceptionFilter,0_2_009B579A

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4955008Jump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: GetLocaleInfoW,0_2_009B282E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: GetLocaleInfoW,0_2_009B282E
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: GetLocaleInfoEx,0_2_009E6A66
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_009B3431
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: EnumSystemLocalesW,0_2_00A2B629
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009E86D9 cpuid 0_2_009E86D9
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_00A34A53 GetTimeZoneInformation,0_2_00A34A53
Source: C:\Users\user\Desktop\Ou0ZT4968y.exeCode function: 0_2_009E8204 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_009E8204

Stealing of Sensitive Information

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Native API
Path Interception311
Process Injection
1
Virtualization/Sandbox Evasion
1
OS Credential Dumping
2
System Time Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts311
Process Injection
LSASS Memory3
Security Software Discovery
Remote Desktop Protocol1
Data from Local System
Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager1
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Obfuscated Files or Information
NTDS1
Remote System Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
System Information Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753418 Sample: Ou0ZT4968y.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 64 19 Multi AV Scanner detection for submitted file 2->19 6 Ou0ZT4968y.exe 1 2->6         started        process3 signatures4 21 Writes to foreign memory regions 6->21 23 Allocates memory in foreign processes 6->23 25 Injects a PE file into a foreign processes 6->25 9 vbc.exe 6->9         started        12 WerFault.exe 23 9 6->12         started        15 conhost.exe 6->15         started        process5 file6 27 Tries to harvest and steal browser information (history, passwords, etc) 9->27 17