Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Overview

General Information

Sample Name:REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Analysis ID:756301
MD5:b9f70f4146b846179fa182ac868d0c15
SHA1:97cb5de0e0cc2f53cd73552f9d5b4381ab5a5907
SHA256:ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
Tags:exeLoki
Infos:

Detection

GuLoader
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Abnormal high CPU Usage
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.830075184.0000000000694000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
    00000000.00000002.830514930.00000000030F0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Machine Learning detection for sample
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeJoe Sandbox ML: detected
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\BekvemmelighederJump to behavior
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr
      Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_00406555 FindFirstFileW,FindClose,
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_0040287E FindFirstFileW,
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://crl.globalsign.com/root.crl0G
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://ocsp.digicert.com0O
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: https://www.digicert.com/CPS0
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAsOpenFile.exeL vs REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_004068DA
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_00404CED
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile read: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeJump to behavior
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\FolkedansensJump to behavior
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsuC2DE.tmpJump to behavior
      Source: classification engineClassification label: mal64.troj.evad.winEXE@1/4@0/0
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_00402104 CoCreateInstance,
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\BekvemmelighederJump to behavior
      Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr
      Source: Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.829961428.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000000.00000002.830300669.0000000002714000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.0.dr

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000000.00000002.830514930.00000000030F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.830075184.0000000000694000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_10002DE0 push eax; ret
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exeJump to dropped file
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsgC6C9.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeRDTSC instruction interceptor: First address: 00000000030F165F second address: 00000000030F165F instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FEAF0D8C00Fh 0x00000006 cmp bh, dh 0x00000008 cmp ecx, 95C3E464h 0x0000000e inc ebp 0x0000000f cld 0x00000010 inc ebx 0x00000011 cmp dl, al 0x00000013 rdtsc
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exeJump to dropped file
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_00406555 FindFirstFileW,FindClose,
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_0040287E FindFirstFileW,
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeAPI call chain: ExitProcess graph end node
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeAPI call chain: ExitProcess graph end node
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
      Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Native API      		1
      Windows Service      		1
      Access Token Manipulation      		1
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      System Shutdown/Reboot
      Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      Windows Service      		1
      Access Token Manipulation      		LSASS Memory2
      File and Directory Discovery      		Remote Desktop Protocol1
      Clipboard Data      		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
      Obfuscated Files or Information      		Security Account Manager13
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.