Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 753428
MD5: 4ae4a84eba3264c433e0c1b92594c61b
SHA1: bc8ee7fb36f3e3c03638bc5b6bf0bc9dd7cc034b
SHA256: bb531c53e5dc8fcc1fe71ef481253b9d3fa86446e7205e750dc3d6ee5c2a5636
Tags: exe
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Maps a DLL or memory area into another process
Machine Learning detection for sample
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Deletes itself after installation
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged

Classification

AV Detection

barindex
Source: http://host-host-file8.com/ URL Reputation: Label: malware
Source: host-file-host6.com Virustotal: Detection: 19% Perma Link
Source: host-host-file8.com Virustotal: Detection: 17% Perma Link
Source: file.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\vvtsewb Joe Sandbox ML: detected
Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr
Source: Binary string: cC:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr

Networking

barindex
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
Source: Malware configuration extractor URLs: http://host-file-host6.com/
Source: Malware configuration extractor URLs: http://host-host-file8.com/
Source: Joe Sandbox View ASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
Source: Joe Sandbox View IP Address: 84.21.172.159 84.21.172.159
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkkgeh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-file-host6.com
Source: explorer.exe, 00000001.00000000.333055694.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303883320.000000000091F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkkgeh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: host-file-host6.com
Source: unknown DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: vvtsewb, 00000002.00000002.412945082.00000000009CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

barindex
Source: 00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.371129358.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.371011318.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 00000002.00000002.412766859.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000002.00000002.413033982.00000000009D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.371129358.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.371011318.00000000006E8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040F025 0_2_0040F025
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004170DC 0_2_004170DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004138E8 0_2_004138E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00413E2C 0_2_00413E2C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C635 0_2_0040C635
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414370 0_2_00414370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004157C9 0_2_004157C9
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_0040F025 2_2_0040F025
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_004170DC 2_2_004170DC
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_004138E8 2_2_004138E8
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_00413E2C 2_2_00413E2C
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_0040C635 2_2_0040C635
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_00414370 2_2_00414370
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_004157C9 2_2_004157C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040180C Sleep,NtTerminateProcess, 0_2_0040180C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401818 Sleep,NtTerminateProcess, 0_2_00401818
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401822 Sleep,NtTerminateProcess, 0_2_00401822
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401826 Sleep,NtTerminateProcess, 0_2_00401826
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401834 Sleep,NtTerminateProcess, 0_2_00401834
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_0040180C Sleep,NtTerminateProcess, 2_2_0040180C
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_00401818 Sleep,NtTerminateProcess, 2_2_00401818
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_00401822 Sleep,NtTerminateProcess, 2_2_00401822
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_00401826 Sleep,NtTerminateProcess, 2_2_00401826
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_00401834 Sleep,NtTerminateProcess, 2_2_00401834
Source: file.exe Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: vvtsewb.1.dr Static PE information: Resource name: RT_VERSION type: x86 executable not stripped
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\vvtsewb C:\Users\user\AppData\Roaming\vvtsewb
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vvtsewb Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/2@4/1
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_009DD28E CreateToolhelp32Snapshot,Module32First, 2_2_009DD28E
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr
Source: Binary string: cC:\jec-rexan\xezuwagav-lifesokip\31\wapirucokewe63.pdb source: file.exe, vvtsewb.1.dr

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vvtsewb Unpacked PE file: 2.2.vvtsewb.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004011D0 push ebx; iretd 0_2_00401217
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004011D7 push ebx; iretd 0_2_00401217
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004011EB push ebx; iretd 0_2_00401217
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B4C1 push ecx; ret 0_2_0040B4D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E1252 push ebx; iretd 0_2_007E127E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E123E push ebx; iretd 0_2_007E127E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E1237 push ebx; iretd 0_2_007E127E
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_004011D0 push ebx; iretd 2_2_00401217
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_004011D7 push ebx; iretd 2_2_00401217
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_004011EB push ebx; iretd 2_2_00401217
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_0040B4C1 push ecx; ret 2_2_0040B4D4
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_009E2DA3 pushad ; iretd 2_2_009E2DA9
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_009DDF19 push ebx; iretd 2_2_009DDF44
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_009DDF04 push ebx; iretd 2_2_009DDF44
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vvtsewb Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vvtsewb Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\vvtsewb:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Windows\explorer.exe TID: 2772 Thread sleep count: 663 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5792 Thread sleep count: 479 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5792 Thread sleep time: -47900s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5820 Thread sleep count: 497 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5820 Thread sleep time: -49700s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3100 Thread sleep count: 577 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5068 Thread sleep count: 413 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5068 Thread sleep time: -41300s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 2372 Thread sleep count: 395 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 2372 Thread sleep time: -39500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 663 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 479 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 497 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 577 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 413 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 395 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: explorer.exe, 00000001.00000000.312651031.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.304766305.00000000043B0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.368261187.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000000.312651031.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E092B mov eax, dword ptr fs:[00000030h] 0_2_007E092B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E0D90 mov eax, dword ptr fs:[00000030h] 0_2_007E0D90
Source: C:\Users\user\AppData\Roaming\vvtsewb Code function: 2_2_009DCB6B push dword ptr fs:[00000030h] 2_2_009DCB6B
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exe File created: vvtsewb.1.dr Jump to dropped file
Source: C:\Windows\explorer.exe Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe Domain query: host-host-file8.com
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread created: C:\Windows\explorer.exe EIP: 2901930 Jump to behavior
Source: C:\Users\user\AppData\Roaming\vvtsewb Thread created: unknown EIP: 2971930 Jump to behavior
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.356626269.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.333248976.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.352176966.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.303967708.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.332831091.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.351679837.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.303801289.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanLoc*U
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 2.2.vvtsewb.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.vvtsewb.7c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.vvtsewb.7b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.7e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.800000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.412803739.00000000007E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.371278858.00000000022A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.412778372.00000000007C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292353244.0000000000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.352581275.0000000002901000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.401198999.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.371194689.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY