Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 882700
MD5: daf761fb9aaa34a9c2120003694d88a3
SHA1: 47fd2695b6da26f6444799d442662b982d70f783
SHA256: 18d4850a10812f3b4d8631939d469b41c1d344a7fa9205acc31b265d0600291b
Tags: NETexeLgoogLoaderMSILx64
Infos:

Detection

lgoogLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Yara detected lgoogLoader
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sample is not signed and drops a device driver
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Contains functionality to load drivers
PE file does not import any functions
Sample file is different than original file name gathered from version info
Enables driver privileges
Drops PE files
Creates driver files
Contains functionality to launch a program with higher privileges
Spawns drivers
Found evaded block containing many API calls
Creates or modifies windows services
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Name Description Attribution Blogpost URLs Link
LgoogLoader LgoogLoader is an installer that drops three files: a batch file, an AutoIt interpreter, and an AutoIt script. After downloading, it executes the batch file. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lgoogloader

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 45%
Source: file.exe Virustotal: Detection: 56% Perma Link
Antivirus detection for URL or domain
Source: http://5.42.94.169/customer/368 Avira URL Cloud: Label: malware
Source: http://109.206.241.33/files/Hadi.config.CfgEncFileMZ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://5.42.94.169 Virustotal: Detection: 7% Perma Link
Source: http://5.42.94.169/customer/368 Virustotal: Detection: 8% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6988, type: MEMORYSTR
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Purala\source\repos\Particle-Filter\obj\x86\Debug\FastSLAM.pdb source: file.exe
Source: Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, ?????.sys.0.dr
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /customer/368 HTTP/1.1Host: 5.42.94.169Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 5.42.94.169 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.94.169
Source: jsc.exe, 00000002.00000002.492997621.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.493023944.0000000000E66000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://109.206.241.33/files/Hadi.config.CfgEncFileMZ
Source: file.exe, 00000000.00000002.493841709.000001F6C7685000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://5.42.94.169
Source: file.exe, 00000000.00000002.493841709.000001F6C7685000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://5.42.94.169/customer/368
Source: file.exe, 00000000.00000002.493841709.000001F6C7685000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jsc.exe String found in binary or memory: http://www.sysinternals.com
Source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, ?????.sys.0.dr String found in binary or memory: https://www.sysinternals.com0
Source: global traffic HTTP traffic detected: GET /customer/368 HTTP/1.1Host: 5.42.94.169Connection: Keep-Alive

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Yara signature match
Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000002.00000002.492960569.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth (Nextron Systems), description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: C:\Users\user\AppData\Local\Temp\?????.sys, type: DROPPED Matched rule: PUA_VULN_Driver_Sysinternalswwwsysinternalscom_procexpsys_ProcessExplorer_HoEP date = 2023-05-19, author = Florian Roth, description = Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 97e3a44ec4ae58c8cc38eefc613e950e.bin, score = , reference = https://github.com/magicsword-io/LOLDrivers, hash = 440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FFC9CFAA577 0_2_00007FFC9CFAA577
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FFC9CF90E58 0_2_00007FFC9CF90E58
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FFC9CFA1208 0_2_00007FFC9CFA1208
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FFC9CF96A17 0_2_00007FFC9CF96A17
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FFC9CFA3AF5 0_2_00007FFC9CFA3AF5
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_00404AF0 2_2_00404AF0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_004084B7 2_2_004084B7
Contains functionality to launch a process as a different user
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_00402050 _memset,_memset,_memset,_memset,_memset,__wcsicmp,__wcsicmp,__wcsicmp,SetEnvironmentVariableW,_memset,_wcscpy_s,_wcscat_s,CreateProcessW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,_wcscpy_s,_memset,_memset,_memset,CreateProcessWithLogonW,GetLastError,EnumWindows,Sleep,Sleep,EnumWindows,CloseHandle,CloseHandle,CloseHandle,LoadIconW,LoadIconW,LoadIconW,LoadCursorW,RegisterClassExW,CreateDialogParamW,GetMessageW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetMessageW,LocalFree, 2_2_00402050
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FFC9CFA5870 NtLoadDriver, 0_2_00007FFC9CFA5870
Contains functionality to load drivers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FFC9CFA5870 NtLoadDriver, 0_2_00007FFC9CFA5870
PE file does not import any functions
Source: file.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprocexp.SysB vs file.exe
Source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameShellRunasP vs file.exe
Source: file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameShellRunasP vs file.exe
Source: file.exe, 00000000.00000002.495389743.000001F6D7771000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs file.exe
Source: file.exe, 00000000.00000002.493612039.000001F6C5C50000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs file.exe
Source: file.exe, 00000000.00000002.493115383.000001F6C58BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameeroxipe4 vs file.exe
Source: file.exe, 00000000.00000002.493218018.000001F6C5AF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameeroxipe4 vs file.exe
Enables driver privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Load Driver Jump to behavior
Creates driver files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\?????.sys Jump to behavior
Spawns drivers
Source: C:\Users\user\Desktop\file.exe Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\TaskKill Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\?????.sys 440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C
Source: file.exe ReversingLabs: Detection: 45%
Source: file.exe Virustotal: Detection: 56%
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FFC9CFA58C4 AdjustTokenPrivileges, 0_2_00007FFC9CFA58C4
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\?????.sys Jump to behavior
Source: ?????.sys.0.dr Binary string: \DosDevices\PROCEXP152\ObjectTypes\\Device\PROCEXP152PsAcquireProcessExitSynchronizationPsReleaseProcessExitSynchronizationMmGetMaximumNonPagedPoolInBytesObGetObjectTypeMutantIoCreateDeviceSecureIoValidateDeviceIoControlAccessD:P
Source: classification engine Classification label: mal100.troj.expl.evad.winEXE@5/2@0/1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_004029C0 _memset,_memset,SHGetMalloc,SHGetDesktopFolder,SearchPathW,GetLastError,CoInitialize,CoCreateInstance,#217,#173,CoUninitialize, 2_2_004029C0
Source: C:\Users\user\Desktop\file.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: file.exe, ????????/?????????.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Purala\source\repos\Particle-Filter\obj\x86\Debug\FastSLAM.pdb source: file.exe
Source: Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, ?????.sys.0.dr

Data Obfuscation
barindex
Yara detected lgoogLoader
Source: Yara match File source: 00000002.00000002.492960569.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000001F6C58B8762 push rsp; retn 0009h 0_2_000001F6C58B8766
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FFC9CF967E9 push ebx; retf 0_2_00007FFC9CF967EA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_00404ACD push ecx; ret 2_2_00404AE0
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_00402CB0 _memset,_memset,_wcscpy_s,_wcscat_s,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetLastError,LoadLibraryW,GetProcAddress,_wcschr,_wcscpy_s,GetComputerNameW,CredUIParseUserNameW,CoTaskMemFree, 2_2_00402CB0

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\?????.sys Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\?????.sys Jump to dropped file
Creates or modifies windows services
Source: C:\Users\user\Desktop\file.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TaskKill Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: file.exe PID: 6988, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7068 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672 Thread sleep count: 9612 > 30 Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\?????.sys Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 9612 Jump to behavior
Found evaded block containing many API calls
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Evaded block: after key decision
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe API coverage: 4.4 %
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe API call chain: ExitProcess graph end node
Source: jsc.exe, 00000002.00000002.492997621.0000000000E50000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: VMware
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: jsc.exe, 00000002.00000002.492997621.0000000000E50000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: Chrome/HEADIsWow64Processkernel32X:\Windows\SysWOW64\ntdll.dllntdll.dllRtlInitUnicodeStringZwOpenFileZwCreateSectionZwMapViewOfSectionNtUnmapViewOfSectionNtQueryInformationProcess{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}RtlRandomExntdll:y--\Driver\Device ParametersEDID(IsActive)(NotActive)BAD EDID!No EDID!--Nm:SYSTEM\ControlSet001\Enum\DISPLAY\\.\PhysicalDrive%d---VMwareVirtualBoxVBoxQEMUDisplay AdapterNon-PnPVMwareVirtualBoxVBoxQEMUWestern Disk HARDDISK(1):(2):text/*Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: file.exe, 00000000.00000002.493218018.000001F6C5BD8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_00405700 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00405700
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_00402CB0 _memset,_memset,_wcscpy_s,_wcscat_s,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetLastError,LoadLibraryW,GetProcAddress,_wcschr,_wcscpy_s,GetComputerNameW,CredUIParseUserNameW,CoTaskMemFree, 2_2_00402CB0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_004039C0 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln, 2_2_004039C0
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_00407219 SetUnhandledExceptionFilter, 2_2_00407219
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_00405700 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00405700
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_0040C52A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040C52A

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 40D000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 413000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: B12008 Jump to behavior
.NET source code references suspicious native API functions
Source: file.exe, ????????/???????????.cs Reference to suspicious API methods: ('???????????', 'GetProcAddress@kernel32.dll'), ('????????', 'LoadLibrary@kernel32.dll'), ('?????????', 'VirtualProtect@kernel32.dll'), ('????????????', 'VirtualAlloc@kernel32.dll')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_00402050 _memset,_memset,_memset,_memset,_memset,__wcsicmp,__wcsicmp,__wcsicmp,SetEnvironmentVariableW,_memset,_wcscpy_s,_wcscat_s,CreateProcessW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,_wcscpy_s,_memset,_memset,_memset,CreateProcessWithLogonW,GetLastError,EnumWindows,Sleep,Sleep,EnumWindows,CloseHandle,CloseHandle,CloseHandle,LoadIconW,LoadIconW,LoadIconW,LoadCursorW,RegisterClassExW,CreateDialogParamW,GetMessageW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetMessageW,LocalFree, 2_2_00402050
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: GetLocaleInfoA, 2_2_0040B123
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_0040C66D cpuid 2_2_0040C66D
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_00407ACC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_00407ACC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe Code function: 2_2_004039C0 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln, 2_2_004039C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 882700 Sample: file.exe Startdate: 06/06/2023 Architecture: WINDOWS Score: 100 21 Multi AV Scanner detection for domain / URL 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 Antivirus detection for URL or domain 2->25 27 7 other signatures 2->27 6 file.exe 18 4 2->6         started        process3 dnsIp4 19 5.42.94.169, 49708, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 6->19 15 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 6->15 dropped 17 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 6->17 dropped 29 Writes to foreign memory regions 6->29 31 Sample is not signed and drops a device driver 6->31 33 Injects a PE file into a foreign processes 6->33 11 jsc.exe 6->11         started        13 ComSvcConfig.exe 6->13         started        file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.42.94.169
 unknown Russian Federation
39493 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://5.42.94.169/customer/368 true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown