Windows Analysis Report
plEnknXWQD.exe

Overview

General Information

Sample Name: plEnknXWQD.exe
Original Sample Name: 548ee02a30c2dcca5f3f91e90212ec29.exe
Analysis ID: 829681
MD5: 548ee02a30c2dcca5f3f91e90212ec29
SHA1: cff21359a3498e3f3e8def5c553a626363b49922
SHA256: 3b6171920a1c00a384ac77f88d94b78d960bd317efc531748893edcd579e370e
Tags: exeRedLineStealer
Infos:

Detection

Amadey, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Disable Windows Defender real time protection (registry)
Machine Learning detection for sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection

barindex
Source: plEnknXWQD.exe ReversingLabs: Detection: 66%
Source: plEnknXWQD.exe Virustotal: Detection: 52% Perma Link
Source: plEnknXWQD.exe Avira: detected
Source: 62.204.41.87/joomla/index.php Virustotal: Detection: 13% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe Avira: detection malicious, Label: HEUR/AGEN.1252166
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Avira: detection malicious, Label: HEUR/AGEN.1252166
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe Virustotal: Detection: 84% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Virustotal: Detection: 55% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe Virustotal: Detection: 76% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Virustotal: Detection: 55% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe Virustotal: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe ReversingLabs: Detection: 46%
Source: plEnknXWQD.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe Joe Sandbox ML: detected
Source: 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "193.233.20.30:4125", "Bot Id": "vint", "Authorization Header": "fb8811912f8370b3d23bffda092d88d0"}
Source: 0.3.plEnknXWQD.exe.49d9220.0.unpack Malware Configuration Extractor: Amadey {"C2 url": "62.204.41.87/joomla/index.php", "Version": "3.68"}
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00382F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00382F1D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Code function: 1_2_01062F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 1_2_01062F1D
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Code function: 2_2_00AC2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 2_2_00AC2F1D
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Code function: 3_2_002F2F1D GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 3_2_002F2F1D

Compliance

barindex
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Unpacked PE file: 6.2.ns5251Ks.exe.400000.0.unpack
Source: plEnknXWQD.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: plEnknXWQD.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wextract.pdb source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: plEnknXWQD.exe, 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp, ry40VI69.exe.0.dr
Source: Binary string: Healer.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdbGCTL source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, mx8896IL.exe, 00000004.00000000.310427980.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, mx8896IL.exe.3.dr
Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000000.335153117.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, ns5251Ks.exe.3.dr
Source: Binary string: _.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000003.346539295.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369340692.0000000002E81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
Source: Binary string: Healer.pdbH5 source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00382390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00382390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Code function: 1_2_01062390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_01062390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Code function: 2_2_00AC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_00AC2390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Code function: 3_2_002F2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 3_2_002F2390

Networking

barindex
Source: Malware configuration extractor URLs: 62.204.41.87/joomla/index.php
Source: Malware configuration extractor URLs: 193.233.20.30:4125
Source: will6283.exe, 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp, qs5212ER.exe.1.dr String found in binary or memory: https://api.ip.sb/ip
Source: ns5251Ks.exe, 00000006.00000002.369263476.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

barindex
Source: 6.2.ns5251Ks.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.3.ns5251Ks.exe.2c20000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.ns5251Ks.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.will6283.exe.4deee20.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.will6283.exe.4deee20.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: plEnknXWQD.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 6.2.ns5251Ks.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.3.ns5251Ks.exe.2c20000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.ns5251Ks.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.will6283.exe.4deee20.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.will6283.exe.4deee20.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.369287641.0000000002E16000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00381F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00381F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Code function: 1_2_01061F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 1_2_01061F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Code function: 2_2_00AC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 2_2_00AC1F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Code function: 3_2_002F1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 3_2_002F1F90
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00383BA2 0_2_00383BA2
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00385C9E 0_2_00385C9E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Code function: 1_2_01063BA2 1_2_01063BA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Code function: 1_2_01065C9E 1_2_01065C9E
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Code function: 2_2_00AC3BA2 2_2_00AC3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Code function: 2_2_00AC5C9E 2_2_00AC5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Code function: 3_2_002F3BA2 3_2_002F3BA2
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Code function: 3_2_002F5C9E 3_2_002F5C9E
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00408C60 6_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_0040DC11 6_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00407C3F 6_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00418CCC 6_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00406CA0 6_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_004028B0 6_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_0041A4BE 6_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00418244 6_2_00418244
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00401650 6_2_00401650
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00402F20 6_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_004193C4 6_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00418788 6_2_00418788
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00402F89 6_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00402B90 6_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_004073A0 6_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_02DC0DB0 6_2_02DC0DB0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: String function: 0040E1D8 appears 44 times
Source: plEnknXWQD.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 907046 bytes, 2 files, at 0x2c +A "will6283.exe" +A "ry40VI69.exe", ID 1992, number 1, 34 datablocks, 0x1503 compression
Source: will6283.exe.0.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 716290 bytes, 2 files, at 0x2c +A "will3629.exe" +A "qs5212ER.exe", ID 1969, number 1, 28 datablocks, 0x1503 compression
Source: will3629.exe.1.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 567826 bytes, 2 files, at 0x2c +A "will3971.exe" +A "py81WM70.exe", ID 1993, number 1, 24 datablocks, 0x1503 compression
Source: will3971.exe.2.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 205746 bytes, 2 files, at 0x2c +A "mx8896IL.exe" +A "ns5251Ks.exe", ID 1957, number 1, 11 datablocks, 0x1503 compression
Source: plEnknXWQD.exe, 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs plEnknXWQD.exe
Source: plEnknXWQD.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs plEnknXWQD.exe
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe 42873B0C5899F64B5F3205A4F3146210CC63152E529C69D6292B037844C81EC4
Source: py81WM70.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ns5251Ks.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: plEnknXWQD.exe ReversingLabs: Detection: 66%
Source: plEnknXWQD.exe Virustotal: Detection: 52%
Source: plEnknXWQD.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\plEnknXWQD.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\plEnknXWQD.exe C:\Users\user\Desktop\plEnknXWQD.exe
Source: C:\Users\user\Desktop\plEnknXWQD.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP001.TMP\
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP002.TMP\
Source: C:\Users\user\Desktop\plEnknXWQD.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Process created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Process created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Process created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Jump to behavior
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00381F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00381F90
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Code function: 1_2_01061F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 1_2_01061F90
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Code function: 2_2_00AC1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 2_2_00AC1F90
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Code function: 3_2_002F1F90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 3_2_002F1F90
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mx8896IL.exe.log Jump to behavior
Source: C:\Users\user\Desktop\plEnknXWQD.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/10@0/0
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_0038597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_0038597D
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_0038597D GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_0038597D
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Code function: 4_2_00007FF9A56C1B10 ChangeServiceConfigA, 4_2_00007FF9A56C1B10
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 6_2_004019F0
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00384FE0 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA, 0_2_00384FE0
Source: C:\Users\user\Desktop\plEnknXWQD.exe Command line argument: Kernel32.dll 0_2_00382BFB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Command line argument: Kernel32.dll 1_2_01062BFB
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Command line argument: Kernel32.dll 2_2_00AC2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Command line argument: Kernel32.dll 3_2_002F2BFB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Command line argument: 08A 6_2_00413780
Source: C:\Users\user\Desktop\plEnknXWQD.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: plEnknXWQD.exe Static file information: File size 1063936 > 1048576
Source: plEnknXWQD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: plEnknXWQD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: plEnknXWQD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: plEnknXWQD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: plEnknXWQD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: plEnknXWQD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: plEnknXWQD.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: plEnknXWQD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wextract.pdb source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: plEnknXWQD.exe, 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp, ry40VI69.exe.0.dr
Source: Binary string: Healer.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdbGCTL source: plEnknXWQD.exe, will3971.exe.2.dr, will6283.exe.0.dr, will3629.exe.1.dr
Source: Binary string: <C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
Source: Binary string: C:\Users\Admin\source\repos\Healer\Healer\obj\Release\Healer.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, mx8896IL.exe, 00000004.00000000.310427980.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, mx8896IL.exe.3.dr
Source: Binary string: C:\tugiwozexe-hon68\xozutuboreja.pdb source: will3971.exe, 00000003.00000003.309941661.00000000047F1000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000000.335153117.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, ns5251Ks.exe.3.dr
Source: Binary string: _.pdb source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000003.346539295.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369340692.0000000002E81000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\zarepot\talotoyuy1\guf.pdb source: will3629.exe, 00000002.00000003.308857846.00000000049B0000.00000004.00000020.00020000.00000000.sdmp, py81WM70.exe.2.dr
Source: Binary string: Healer.pdbH5 source: ns5251Ks.exe, 00000006.00000003.338894865.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369220126.0000000002D50000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.370344003.0000000004BD1000.00000004.00000800.00020000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.371166445.0000000007090000.00000004.08000000.00040000.00000000.sdmp, ns5251Ks.exe, 00000006.00000002.369448631.0000000004690000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Unpacked PE file: 6.2.ns5251Ks.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Unpacked PE file: 6.2.ns5251Ks.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_0038724D push ecx; ret 0_2_00387260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Code function: 1_2_0106724D push ecx; ret 1_2_01067260
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Code function: 2_2_00AC724D push ecx; ret 2_2_00AC7260
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Code function: 3_2_002F724D push ecx; ret 3_2_002F7260
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_0041C40C push cs; iretd 6_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00423149 push eax; ret 6_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_0041C50E push cs; iretd 6_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_004231C8 push eax; ret 6_2_00423179
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_0040E21D push ecx; ret 6_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_0041C6BE push ebx; ret 6_2_0041C6BF
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_02DC454E push ecx; retf 6_2_02DC4554
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_02DC4139 push edi; iretd 6_2_02DC414E
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_02E1BAA3 push edi; retf 6_2_02E1BAA4
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_02E18B58 push FFFFFFE1h; ret 6_2_02E18B67
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_0038202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, 0_2_0038202A
Source: qs5212ER.exe.1.dr Static PE information: 0xCBA9AC16 [Mon Apr 11 09:21:26 2078 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.842085736950787
Source: initial sample Static PE information: section name: .text entropy: 7.7554731967823
Source: C:\Users\user\Desktop\plEnknXWQD.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Jump to dropped file
Source: C:\Users\user\Desktop\plEnknXWQD.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe File created: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe File created: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe File created: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe Jump to dropped file
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00381AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 0_2_00381AE8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Code function: 1_2_01061AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 1_2_01061AE8
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Code function: 2_2_00AC1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 2_2_00AC1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Code function: 3_2_002F1AE8 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 3_2_002F1AE8
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe TID: 5576 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe TID: 4360 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 6_2_004019F0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\plEnknXWQD.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP002.TMP\py81WM70.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\plEnknXWQD.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00385467 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, 0_2_00385467
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00382390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00382390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Code function: 1_2_01062390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_01062390
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Code function: 2_2_00AC2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 2_2_00AC2390
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Code function: 3_2_002F2390 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 3_2_002F2390
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 6_2_004019F0
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_0038202A memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,GetModuleFileNameA,LocalAlloc,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree, 0_2_0038202A
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_0040ADB0 GetProcessHeap,HeapFree, 6_2_0040ADB0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_02E17043 push dword ptr fs:[00000030h] 6_2_02E17043
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00386F40 SetUnhandledExceptionFilter, 0_2_00386F40
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00386CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00386CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Code function: 1_2_01066F40 SetUnhandledExceptionFilter, 1_2_01066F40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\will6283.exe Code function: 1_2_01066CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_01066CF0
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Code function: 2_2_00AC6F40 SetUnhandledExceptionFilter, 2_2_00AC6F40
Source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\will3629.exe Code function: 2_2_00AC6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00AC6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Code function: 3_2_002F6F40 SetUnhandledExceptionFilter, 3_2_002F6F40
Source: C:\Users\user\AppData\Local\Temp\IXP002.TMP\will3971.exe Code function: 3_2_002F6CF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_002F6CF0
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: 6_2_004123F1 SetUnhandledExceptionFilter, 6_2_004123F1
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_003818A3 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle, 0_2_003818A3
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Code function: GetLocaleInfoA, 6_2_00417A20
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\ns5251Ks.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00387155 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00387155
Source: C:\Users\user\Desktop\plEnknXWQD.exe Code function: 0_2_00382BFB GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle, 0_2_00382BFB
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Code function: 4_2_00007FF9A56C077D GetUserNameA, 4_2_00007FF9A56C077D

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP003.TMP\mx8896IL.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 6.2.ns5251Ks.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ns5251Ks.exe.2c20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.ns5251Ks.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.will6283.exe.4deee20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.will6283.exe.4deee20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, type: DROPPED
Source: Yara match File source: 0.3.plEnknXWQD.exe.49d9220.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.plEnknXWQD.exe.49d9220.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.307182274.0000000004904000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\ry40VI69.exe, type: DROPPED

Remote Access Functionality

barindex
Source: Yara match File source: 6.2.ns5251Ks.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ns5251Ks.exe.2c20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.ns5251Ks.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.will6283.exe.4deee20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.ns5251Ks.exe.2bf0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.will6283.exe.4deee20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.368689660.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.368971043.0000000002BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.336833965.0000000002C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.308015550.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\IXP001.TMP\qs5212ER.exe, type: DROPPED
No contacted IP infos