Windows Analysis Report
ZtQY1K6aTi.exe

Overview

General Information

Sample name: ZtQY1K6aTi.exe
renamed because original name is a hash value
Original sample name: 7f991bd7699126d6cca12241de7e7c44.exe
Analysis ID: 1435778
MD5: 7f991bd7699126d6cca12241de7e7c44
SHA1: 63829ce5fcb6616b08d81fb456e92fcd1cac14c9
SHA256: 441bfb5e8bc07201c4c44de203b37c3ee9ab8d50dcfe025d7757fb7097c61156
Tags: 32exetrojan
Infos:

Detection

RisePro Stealer
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected RisePro Stealer
Adds extensions / path to Windows Defender exclusion list (Registry)
Contains functionality to inject threads in other processes
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Exclude list of file types from scheduled, custom, and real-time scanning
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Modifies Group Policy settings
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ZtQY1K6aTi.exe ReversingLabs: Detection: 60%
Source: ZtQY1K6aTi.exe Virustotal: Detection: 66% Perma Link
Machine Learning detection for sample
Source: ZtQY1K6aTi.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00263EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 0_2_00263EB0
Uses 32bit PE files
Source: ZtQY1K6aTi.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Change of critical system settings
barindex
Adds extensions / path to Windows Defender exclusion list (Registry)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D2012 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_001D2012
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0027D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError, 0_2_0027D2B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002633B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_002633B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002313F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_002313F0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00231A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA, 0_2_00231A60
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00283B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00283B20
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001EFC1D FindFirstFileExW, 0_2_001EFC1D
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D1F8C FindClose,FindFirstFileExW,GetLastError, 0_2_001D1F8C
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 87.120.84.5:50500
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.84.5
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001B8DC0 recv, 0_2_001B8DC0
Source: ZtQY1K6aTi.exe String found in binary or memory: http://www.winimage.com/zLibDll
Source: ZtQY1K6aTi.exe String found in binary or memory: https://ipinfo.io/
Source: ZtQY1K6aTi.exe String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: ZtQY1K6aTi.exe, 00000000.00000002.3254044242.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: ZtQY1K6aTi.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002833A0 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown, 0_2_002833A0
Creates files inside the system directory
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe File created: C:\Windows\System32\GroupPolicy\Machine Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe File created: C:\Windows\System32\GroupPolicy\User Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe File created: C:\Windows\System32\GroupPolicy\GPT.INI Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001F9588 0_2_001F9588
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001E001D 0_2_001E001D
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002E40A0 0_2_002E40A0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00298080 0_2_00298080
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002D20C0 0_2_002D20C0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0022E120 0_2_0022E120
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00222100 0_2_00222100
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002D81A0 0_2_002D81A0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002361D0 0_2_002361D0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002A4220 0_2_002A4220
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002B4220 0_2_002B4220
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00218200 0_2_00218200
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001AA2C0 0_2_001AA2C0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0028A2D0 0_2_0028A2D0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001E035F 0_2_001E035F
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00290350 0_2_00290350
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0027C3E0 0_2_0027C3E0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002463D0 0_2_002463D0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002A0520 0_2_002A0520
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001F47AD 0_2_001F47AD
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0026E800 0_2_0026E800
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002DC8D0 0_2_002DC8D0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001DA918 0_2_001DA918
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001DC950 0_2_001DC950
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002509B0 0_2_002509B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002749B0 0_2_002749B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0024E9E0 0_2_0024E9E0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0026CAA0 0_2_0026CAA0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00294AA0 0_2_00294AA0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00238A80 0_2_00238A80
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002E4AE0 0_2_002E4AE0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002D6B30 0_2_002D6B30
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00230BA0 0_2_00230BA0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00284B90 0_2_00284B90
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001F8BA0 0_2_001F8BA0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0023CBF0 0_2_0023CBF0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00294CD0 0_2_00294CD0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0028CD20 0_2_0028CD20
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001F8E20 0_2_001F8E20
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00268E70 0_2_00268E70
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00246EA0 0_2_00246EA0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0023AEC0 0_2_0023AEC0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0024AED0 0_2_0024AED0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002BAF30 0_2_002BAF30
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00294F70 0_2_00294F70
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0028CFC0 0_2_0028CFC0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00295070 0_2_00295070
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002A1040 0_2_002A1040
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0022D0B0 0_2_0022D0B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002970E0 0_2_002970E0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00241130 0_2_00241130
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002E3160 0_2_002E3160
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D7190 0_2_001D7190
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002332B0 0_2_002332B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002DF280 0_2_002DF280
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0025F2D0 0_2_0025F2D0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0029D320 0_2_0029D320
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0029F360 0_2_0029F360
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0025D450 0_2_0025D450
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00293450 0_2_00293450
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002BF450 0_2_002BF450
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002A54A0 0_2_002A54A0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00219490 0_2_00219490
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0028B500 0_2_0028B500
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001CF570 0_2_001CF570
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002AF5E0 0_2_002AF5E0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002A7630 0_2_002A7630
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0021F730 0_2_0021F730
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0025B770 0_2_0025B770
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0027B7E0 0_2_0027B7E0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002977F0 0_2_002977F0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0028D7D0 0_2_0028D7D0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00255880 0_2_00255880
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001AB8E0 0_2_001AB8E0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002B18D0 0_2_002B18D0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00295960 0_2_00295960
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00231A60 0_2_00231A60
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001EDA74 0_2_001EDA74
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002E5A40 0_2_002E5A40
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0027DA80 0_2_0027DA80
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0028FBA0 0_2_0028FBA0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00223C3D 0_2_00223C3D
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00297CA0 0_2_00297CA0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001A9C90 0_2_001A9C90
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002E3CF0 0_2_002E3CF0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00247D20 0_2_00247D20
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00243D70 0_2_00243D70
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00241E40 0_2_00241E40
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00295EB0 0_2_00295EB0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00233ED0 0_2_00233ED0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0029DF20 0_2_0029DF20
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00281F80 0_2_00281F80
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0028BFC0 0_2_0028BFC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: String function: 001BACE0 appears 146 times
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: String function: 001A2CF0 appears 110 times
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: String function: 001D4370 appears 60 times
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: String function: 002E4890 appears 102 times
Sample file is different than original file name gathered from version info
Source: ZtQY1K6aTi.exe, 00000000.00000000.1976300985.0000000000327000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ZtQY1K6aTi.exe
Source: ZtQY1K6aTi.exe, 00000000.00000002.3254255271.00000000046F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ZtQY1K6aTi.exe
Source: ZtQY1K6aTi.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ZtQY1K6aTi.exe
Uses 32bit PE files
Source: ZtQY1K6aTi.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal96.troj.evad.winEXE@1/3@0/1
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002E23D0 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA, 0_2_002E23D0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002E2160 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 0_2_002E2160
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0022CB90 CreateDirectoryA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_0022CB90
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 CoInitializeEx,CoCreateInstance,RegCreateKeyExA,RegSetValueExA,RegCreateKeyExA,RegSetValueExA,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegOpenKeyExA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,CoUninitialize, 0_2_002709B0
Source: ZtQY1K6aTi.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe File read: C:\Windows\SysWOW64\GroupPolicy\gpt.ini Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ZtQY1K6aTi.exe, ZtQY1K6aTi.exe, 00000000.00000000.1976264611.00000000002FA000.00000002.00000001.01000000.00000003.sdmp, ZtQY1K6aTi.exe, 00000000.00000002.3254255271.00000000046F2000.00000004.00000020.00020000.00000000.sdmp, ZtQY1K6aTi.exe, 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: ZtQY1K6aTi.exe, 00000000.00000000.1976264611.00000000002FA000.00000002.00000001.01000000.00000003.sdmp, ZtQY1K6aTi.exe, 00000000.00000002.3254255271.00000000046F2000.00000004.00000020.00020000.00000000.sdmp, ZtQY1K6aTi.exe, 00000000.00000002.3253798896.00000000002FA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: ZtQY1K6aTi.exe ReversingLabs: Detection: 60%
Source: ZtQY1K6aTi.exe Virustotal: Detection: 66%
Source: ZtQY1K6aTi.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: ZtQY1K6aTi.exe String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll\*value
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe File read: C:\Users\user\Desktop\ZtQY1K6aTi.exe Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: gpedit.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: dssec.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: dsuiext.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: authz.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe File written: C:\Windows\SysWOW64\GroupPolicy\gpt.ini Jump to behavior
Source: ZtQY1K6aTi.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: ZtQY1K6aTi.exe Static file information: File size 1672704 > 1048576
Source: ZtQY1K6aTi.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x158c00
Source: ZtQY1K6aTi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ZtQY1K6aTi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ZtQY1K6aTi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ZtQY1K6aTi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ZtQY1K6aTi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ZtQY1K6aTi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ZtQY1K6aTi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ZtQY1K6aTi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ZtQY1K6aTi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ZtQY1K6aTi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ZtQY1K6aTi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ZtQY1K6aTi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001F9588 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState, 0_2_001F9588
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D3F49 push ecx; ret 0_2_001D3F5C
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0028A2D0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0028A2D0

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Stalling execution: Execution stalls by calling Sleep
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 0_2_001FDA50
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Window / User API: threadDelayed 6362 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe API coverage: 7.2 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002E1D30 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 002E1D71h 0_2_002E1D30
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D2012 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_001D2012
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0027D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError, 0_2_0027D2B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002633B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_002633B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002313F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_002313F0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00231A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA, 0_2_00231A60
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00283B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00283B20
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001EFC1D FindFirstFileExW, 0_2_001EFC1D
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D1F8C FindClose,FindFirstFileExW,GetLastError, 0_2_001D1F8C
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001F80C8 VirtualQuery,GetSystemInfo, 0_2_001F80C8
Source: ZtQY1K6aTi.exe, 00000000.00000002.3254044242.0000000000D40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ZtQY1K6aTi.exe, 00000000.00000002.3254044242.0000000000D40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnn
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D4174 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001D4174
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001FA082 CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep, 0_2_001FA082
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001F9588 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState, 0_2_001F9588
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001FA082 mov eax, dword ptr fs:[00000030h] 0_2_001FA082
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001FA082 mov ecx, dword ptr fs:[00000030h] 0_2_001FA082
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002709B0 mov eax, dword ptr fs:[00000030h] 0_2_002709B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001F9588 mov eax, dword ptr fs:[00000030h] 0_2_001F9588
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001F9588 mov eax, dword ptr fs:[00000030h] 0_2_001F9588
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001F9588 mov eax, dword ptr fs:[00000030h] 0_2_001F9588
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001F9588 mov ecx, dword ptr fs:[00000030h] 0_2_001F9588
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001FDA50 mov eax, dword ptr fs:[00000030h] 0_2_001FDA50
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001FDA50 mov eax, dword ptr fs:[00000030h] 0_2_001FDA50
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00264130 mov eax, dword ptr fs:[00000030h] 0_2_00264130
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00270420 mov ecx, dword ptr fs:[00000030h] 0_2_00270420
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001FA61F mov eax, dword ptr fs:[00000030h] 0_2_001FA61F
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001FA61F mov eax, dword ptr fs:[00000030h] 0_2_001FA61F
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001FA61F mov eax, dword ptr fs:[00000030h] 0_2_001FA61F
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002332B0 mov eax, dword ptr fs:[00000030h] 0_2_002332B0
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00273630 mov eax, dword ptr fs:[00000030h] 0_2_00273630
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00265A70 mov eax, dword ptr fs:[00000030h] 0_2_00265A70
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00286E20 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,HeapAlloc,HeapFree,HeapAlloc,HeapFree, 0_2_00286E20
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D4174 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001D4174
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D4301 SetUnhandledExceptionFilter, 0_2_001D4301
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_001D450D
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_001D8A54

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0026C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0026C630
Disables Windows Defender (deletes autostart)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_00273340 cpuid 0_2_00273340
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_001F2B48
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: GetLocaleInfoW, 0_2_001F2D4D
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: EnumSystemLocalesW, 0_2_001F2DF4
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: EnumSystemLocalesW, 0_2_001F2E3F
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: EnumSystemLocalesW, 0_2_001F2EDA
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_001F2F65
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: GetLocaleInfoW, 0_2_001F31B8
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: EnumSystemLocalesW, 0_2_001EB1A3
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_001F32E1
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: GetLocaleInfoW, 0_2_001F33E7
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_001F34BD
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: GetLocaleInfoW, 0_2_001EB726
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0027DA80
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_001D1D84
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001D43B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_001D43B5
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_0026E800 OutputDebugStringA,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,ShellExecuteA, 0_2_0026E800
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_001ED11E GetTimeZoneInformation, 0_2_001ED11E
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Code function: 0_2_002E2070 GetVersionExA,DeleteFileW,GetFileAttributesW,GetLastError,Sleep,DeleteFileA,GetFileAttributesA,GetLastError,Sleep, 0_2_002E2070

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender real time protection (registry)
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Registry value created: Exclusions_Extensions 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiSpyware 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableRoutinelyTakingAction 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableBehaviorMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableOnAccessProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableScanOnRealtimeEnable 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{6BB86D62-6074-413F-AC7A-F6E5212F3B22}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRawWriteNotification 1 Jump to behavior
Exclude list of file types from scheduled, custom, and real-time scanning
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe Registry value created: Exclusions_Extensions 1 Jump to behavior
Modifies Group Policy settings
Source: C:\Users\user\Desktop\ZtQY1K6aTi.exe File written: C:\Windows\System32\GroupPolicy\GPT.INI Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: ZtQY1K6aTi.exe PID: 6788, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: ZtQY1K6aTi.exe PID: 6788, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1435778 Sample: ZtQY1K6aTi.exe Startdate: 03/05/2024 Architecture: WINDOWS Score: 96 14 Multi AV Scanner detection for submitted file 2->14 16 Yara detected RisePro Stealer 2->16 18 Machine Learning detection for sample 2->18 5 ZtQY1K6aTi.exe 10 5 2->5         started        process3 dnsIp4 12 87.120.84.5, 50500 SHARCOM-ASBG Bulgaria 5->12 10 C:\Windows\System32behaviorgraphroupPolicybehaviorgraphPT.INI, ASCII 5->10 dropped 20 Found stalling execution ending in API Sleep call 5->20 22 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 5->22 24 Found API chain indicative of sandbox detection 5->24 26 6 other signatures 5->26 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.120.84.5
 unknown Bulgaria
51189 SHARCOM-ASBG false