Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:609630
Start time:14:25:30
Joe Sandbox Product:Cloud
Start date:16.07.2018
Overall analysis duration:0h 8m 57s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ZrfRZCzOXC.exe
Cookbook file name:sysmon.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.evad.winEXE@6/3@11/3
EGA Information:
  • Successful, ratio: 33.3%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: ZrfRZCzOXC.exevirustotal: Detection: 73%Perma Link

Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 23.42.27.27
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /ncsi.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.msftncsi.com
Source: global trafficHTTP traffic detected: GET /ncsi.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.msftncsi.com
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /ncsi.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.msftncsi.com
Source: global trafficHTTP traffic detected: GET /ncsi.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.msftncsi.com
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: 8.8.8.8.in-addr.arpa
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000002.00000000.10291306634.04E6A000.00000004.sdmpString found in binary or memory: file:///C:/
Source: explorer.exe, 00000002.00000000.10291306634.04E6A000.00000004.sdmpString found in binary or memory: file:///C:/:y
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmpString found in binary or memory: file:///C:/Program%20Files/AutoIt3/AutoIt3.exe
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmpString found in binary or memory: file:///C:/Program%20Files/AutoIt3/AutoIt3.exeZH
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmpString found in binary or memory: file:///C:/Program%20Files/AutoIt3/AutoIt3.exeoH
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmpString found in binary or memory: file:///C:/Program%20Files/Common%20Files/Adobe/ARM/1.0/AdobeARM.exe
Source: explorer.exe, 00000002.00000000.10291033327.04CFF000.00000004.sdmpString found in binary or memory: file:///C:/Users/user/AppData/Roaming/Microsoft/Internet%20Explorer/Quick%20Launch/User%20Pinn
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmpString found in binary or memory: file:///C:/Windows/explorer.exe
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmpString found in binary or memory: file:///C:/Windows/explorer.exe%_%
Source: explorer.exe, 00000002.00000000.10283103260.01F86000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3
Source: explorer.exe, 00000002.00000000.10283103260.01F86000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au39
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmpString found in binary or memory: file:///C:/jbxinitvm.au3ta
Source: ZrfRZCzOXC.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ZrfRZCzOXC.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ZrfRZCzOXC.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ZrfRZCzOXC.exeString found in binary or memory: http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
Source: ZrfRZCzOXC.exeString found in binary or memory: http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmpString found in binary or memory: http://java
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmpString found in binary or memory: http://java.com
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmpString found in binary or memory: http://java.com/
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmpString found in binary or memory: http://java.com/5A4
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmpString found in binary or memory: http://java.com/F2E
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmpString found in binary or memory: http://java.com/fau
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmpString found in binary or memory: http://java.com/help
Source: explorer.exe, 00000002.00000000.10290767042.04C90000.00000004.sdmpString found in binary or memory: http://java.com/helphttp://java.com/help
Source: explorer.exe, 00000002.00000000.10285365277.02BB0000.00000004.sdmpString found in binary or memory: http://java.com/http://java.com/
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmpString found in binary or memory: http://java.comm
Source: explorer.exe, 00000002.00000000.10291223183.04DD7000.00000004.sdmpString found in binary or memory: http://java.sun.com
Source: ZrfRZCzOXC.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: ZrfRZCzOXC.exeString found in binary or memory: http://ocsp.thawte.com0
Source: ZrfRZCzOXC.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ZrfRZCzOXC.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ZrfRZCzOXC.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: explorer.exe, 00000002.00000000.10283123038.01FB0000.00000008.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000002.00000000.10290767042.04C90000.00000004.sdmpString found in binary or memory: http://www.ado
Source: ZrfRZCzOXC.exeString found in binary or memory: http://www.example.com/0
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmpString found in binary or memory: https://aka.ms/WEF.
Source: explorer.exe, 00000002.00000000.10291539017.05220000.00000008.sdmpString found in binary or memory: https://en.wikipedia.org/wiki/XSLT/Muenchian_grouping
Source: explorer.exe, 00000002.00000000.10281883975.0051C000.00000004.sdmpString found in binary or memory: https://github.com/SwiftOnSecurity/sysmon-config
Source: ZrfRZCzOXC.exeString found in binary or memory: https://secure.comodo.net/CPS0C

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00401B18 CreateFileMappingW,MapViewOfFile,WaitForSingleObject,NtTerminateProcess,1_2_00401B18
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00401BC5 NtFreeVirtualMemory,WaitForSingleObject,NtTerminateProcess,1_2_00401BC5
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00401C19 NtFreeVirtualMemory,WaitForSingleObject,NtTerminateProcess,1_2_00401C19
PE file has an invalid certificateShow sources
Source: ZrfRZCzOXC.exeStatic PE information: invalid certificate
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: ZrfRZCzOXC.exe, 00000001.00000002.10346790896.001D0000.00000008.sdmpBinary or memory string: OriginalFilenameodbcint.dll.muij% vs ZrfRZCzOXC.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeSection loaded: vdbcbcp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wshtcpip.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exeSection loaded: vdbcbcp.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal72.evad.winEXE@6/3@11/3
Creates files inside the user directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehvJump to behavior
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: ZrfRZCzOXC.exevirustotal: Detection: 73%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\ZrfRZCzOXC.exe 'C:\Users\user\Desktop\ZrfRZCzOXC.exe'
Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {353C8FCD-E7D7-4901-A1FC-CC4E5F09B639} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start '' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start '' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72eb61e0-8672-4303-9175-f2e4c68b2e7c}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: dtevaaaa.exe.2.drStatic PE information: real checksum: 0x43dfb should be: 0x495b2
Source: ZrfRZCzOXC.exeStatic PE information: real checksum: 0x43dfb should be: 0x495b2
PE file contains sections with non-standard namesShow sources
Source: ZrfRZCzOXC.exeStatic PE information: section name: .xml
Source: dtevaaaa.exe.2.drStatic PE information: section name: .xml
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00403E48 push edi; iretd 1_2_00403E4B
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00405E08 push 024F7F4Bh; iretd 1_2_00405E0D
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_004038C9 push 270B9D80h; ret 1_2_004038FE
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_004046F1 push cs; ret 1_2_004046F2
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00405094 push cs; ret 1_2_004050AE
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00405D40 push 2217E8B9h; ret 1_2_00405D45
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00405141 push cs; ret 1_2_00405142
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00406754 push edx; ret 1_2_00406755
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_0040111E push esp; retf 1_2_00401147
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_0040392D push edx; ret 1_2_0040393C
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_0040513F push edx; ret 1_2_00405140
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00403FC9 push ss; iretd 1_2_00403FD4
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_004037E8 push cs; ret 1_2_004037FA
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_004029FA push eax; ret 1_2_00402A90
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_004045FF push edx; ret 1_2_00404600
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00404981 push cs; ret 1_2_00404982
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeCode function: 1_2_00405B9C push ds; iretd 1_2_00405B9D

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exeJump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chviwehv.lnkJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chviwehv.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module)Show sources
Source: explorer.exe, 00000002.00000000.10281837375.004ED000.00000004.sdmpBinary or memory string: \\192.168.1.2\ALL\PROCEXP.EXES
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum name: 0Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 555Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 521Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 437Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 420Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 529Jump to behavior
Queries a list of all running processesShow sources
Source: C:\Windows\explorer.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\taskeng.exeSystem information queried: KernelDebuggerInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: dtevaaaa.exe.2.drJump to dropped file
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 23.10.249.17 80Jump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeSection loaded: unknown target pid: 1376 protection: execute and read and writeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start '' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe' Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 00000002.00000000.10282089541.00860000.00000002.sdmp, taskeng.exe, 00000003.00000002.10574796883.00E00000.00000002.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000002.00000000.10282089541.00860000.00000002.sdmp, taskeng.exe, 00000003.00000002.10574796883.00E00000.00000002.sdmpBinary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.10282089541.00860000.00000002.sdmp, taskeng.exe, 00000003.00000002.10574796883.00E00000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.10281837375.004ED000.00000004.sdmpBinary or memory string: Progmanp

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\ZrfRZCzOXC.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exeQueries volume information: C:\ VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\taskeng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 609630 Sample: ZrfRZCzOXC.exe Startdate: 16/07/2018 Architecture: WINDOWS Score: 72 24 ukcompany.top 2->24 26 ukcompany.pw 2->26 28 12 other IPs or domains 2->28 36 Multi AV Scanner detection for submitted file 2->36 38 Tries to detect sandboxes and other dynamic analysis tools (process name or module) 2->38 8 ZrfRZCzOXC.exe 2->8         started        11 taskeng.exe 1 2->11         started        signatures3 process4 signatures5 40 Maps a DLL or memory area into another process 8->40 13 explorer.exe 4 4 8->13 injected 18 cmd.exe 11->18         started        process6 dnsIp7 30 a1961.g2.akamai.net 23.10.249.17, 49171, 80 AKAMAI-ASN1US United States 13->30 32 192.168.1.255 unknown unknown 13->32 34 192.168.1.81, 49164, 49168, 49171 unknown unknown 13->34 22 C:\Users\user\AppData\...\dtevaaaa.exe, PE32 13->22 dropped 42 System process connects to network (likely due to code injection or exploit) 13->42 44 Benign windows process drops PE files 13->44 20 dtevaaaa.exe 18->20         started        file8 signatures9 process10

Simulations

Behavior and APIs

TimeTypeDescription
14:26:22API Interceptor602x Sleep call for process: explorer.exe modified
14:26:52Task SchedulerRun new task: Opera scheduled Autoupdate 211371202 path: C:\Windows\system32\cmd.exe s>/c start "" "C:\Users\user\AppData\Roaming\Microsoft\Windows\chviwehv\dtevaaaa.exe"
14:30:00API Interceptor3x Sleep call for process: taskeng.exe modified
14:30:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chviwehv.lnk

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
ZrfRZCzOXC.exe74%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
a1621.g.akamai.net0%virustotalBrowse
a1363.dscg.akamai.net0%virustotalBrowse
a1961.g2.akamai.net0%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots