Analysis Report

Overview

General Information

Analysis ID:54912
Start time:16:27:17
Start date:29/01/2015
Overall analysis duration:0h 7m 5s
Report type:full
Sample file name:downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2003 SP1, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:13
Number of new started drivers analysed:2
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
HCA enabled:true
HCA success:
  • true, ratio: 97%
  • Number of executed functions: 79
  • Number of non-executed functions: 143
Warnings:
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.


Detection

StrategyReport FP/FN
Threshold malicious


Signature Overview


Change of System Appearance:

barindex
Changes the wallpaper pictureShow sources
Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_USERS\Control Panel\Desktop TileWallpaper

DDOS:

barindex
Contains functionality to access network services in a loop (often DDOS functionality)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01590762 socket,Sleep,connect,send,recv,send,select,Sleep,closesocket,ioctlsocket,recv,closesocket,closesocket,TerminateThread,1_2_01590762

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015C136D CryptDecrypt,1_2_015C136D

Spam, unwanted Advertisements and Ransom Demands:

barindex
Moves many txt or jpg files (may be a ransomware encrypting documents)Show sources
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT
Source: C:\Windows\System32\svchost.exeFile moved: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.msn[2].txt
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\OFFICE11\NOISEENU.TXT
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\AutoIt3\Include\_ReadMe_.txt
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG
Source: C:\Windows\System32\svchost.exeFile moved: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Windows\System32\svchost.exeFile dropped: C:\Program Files\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-dzwyyul.txt -> your documents, photos, databases and other important files have been encryptedwith strongest encryption and unique key, generated for this computer.private decryption key is stored on a secret internet server and nobody candecrypt your files until you pay and obtain the private key.if you see the main locker window, follow the instructions on the locker.overwise, it's seems that you or your antivirus deleted the locker program.now you have the last chance to decrypt your files.open http://w7yue5dc5amppggs.onion.cab or http://w7yue5dc5amppggs.tor2web.org in your browser. they are public gates to the secret server. if you have problems with gates, use direct connection:1. download tor browser from http://torproject.org2. in the tor browser open the http://w7yue5dc5amppggs.onion/ note that this server is available via tor browser only. retry in 1 hour if site is not reachable.copy and paste the follow
Source: C:\Windows\explorer.exeFile dropped: C:\Users\admin\Documents\Decrypt-All-Files-dzwyyul.txt -> your documents, photos, databases and other important files have been encryptedwith strongest encryption and unique key, generated for this computer.private decryption key is stored on a secret internet server and nobody candecrypt your files until you pay and obtain the private key.if you see the main locker window, follow the instructions on the locker.overwise, it's seems that you or your antivirus deleted the locker program.now you have the last chance to decrypt your files.open http://w7yue5dc5amppggs.onion.cab or http://w7yue5dc5amppggs.tor2web.org in your browser. they are public gates to the secret server. if you have problems with gates, use direct connection:1. download tor browser from http://torproject.org2. in the tor browser open the http://w7yue5dc5amppggs.onion/ note that this server is available via tor browser only. retry in 1 hour if site is not reachable.copy and paste the following public key in the inpu

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshotsShow sources
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E3EB0 CreateFileW,WriteFile,CloseHandle,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,ReleaseDC,SelectObject,CreateSolidBrush,FillRect,CreateFileW,GetDIBits,WriteFile,WriteFile,WriteFile,CloseHandle,5_2_003E3EB0

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: upbbxxl.html.drString found in binary or memory: http://torproject.org
Source: Decrypt-All-Files-dzwyyul.txt.drString found in binary or memory: http://torproject.org
Source: upbbxxl.html.drString found in binary or memory: http://w7yue5dc5amppggs.onion
Source: Decrypt-All-Files-dzwyyul.txt.dr, upbbxxl.html.drString found in binary or memory: http://w7yue5dc5amppggs.onion.cab
Source: Decrypt-All-Files-dzwyyul.txt.drString found in binary or memory: http://w7yue5dc5amppggs.onion/
Source: Decrypt-All-Files-dzwyyul.txt.dr, upbbxxl.html.drString found in binary or memory: http://w7yue5dc5amppggs.tor2web.org
Source: upbbxxl.html.drString found in binary or memory: http://www.torproject.org/download/download-easy.html.en
Contains functionality to download additional files from the internetShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01590762 socket,Sleep,connect,send,recv,send,select,Sleep,closesocket,ioctlsocket,recv,closesocket,closesocket,TerminateThread,1_2_01590762

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015A791B setsockopt,bind,getsockname,1_2_015A791B
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0150E372 htonl,bind,listen,connect,accept,WSAGetLastError,WSASetLastError,WSASetLastError,1_2_0150E372
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeCode function: 13_2_014BE372 htonl,bind,listen,connect,accept,WSAGetLastError,WSASetLastError,WSASetLastError,13_2_014BE372
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeCode function: 13_2_0155791B setsockopt,bind,getsockname,13_2_0155791B

Stealing of Sensitive Information:

barindex
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\svchost.exeDirectory queried: number of queries: 1002
Searches for Windows Mail specific filesShow sources
Source: C:\Windows\System32\svchost.exeDirectory queried: C:\Program Files\Windows Mail *
Source: C:\Windows\System32\svchost.exeDirectory queried: C:\Program Files\Windows Mail\en-US *

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeFile created: C:\Users\admin\AppData\Local\Temp\inbdgml.exe
Terminates after testing mutex exists (may check infected machine status)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0155811C GetModuleHandleW,OpenMutexW,ExitProcess,CreateMutexW,SHGetFolderPathW,GetModuleFileNameW,GetTempPathW,GetTickCount,CreateFileW,WriteFile,CloseHandle,ShellExecuteW,CloseHandle,Sleep,RegCloseKey,RegCloseKey,GetCurrentThread,SetThreadPriority,InitializeSecurityDescriptor,AllocateAndInitializeSid,GetLengthSid,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,CreateDirectoryW,CreateFileW,CloseHandle,CreateThread,Sleep,CreateThread,GetVersion,FindWindowExW,CloseHandle,FindWindowW,SendMessageW,DeleteFileW,1_2_0155811C

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015921ED GetUserGeoID,LoadLibraryA,GetProcAddress,GetDesktopWindow,GetDC,ReleaseDC,CreateIconFromResource,GetLastError,LoadCursorW,RegisterClassExW,1_2_015921ED
PE file contains an invalid checksumShow sources
Source: initial sampleStatic PE information: real checksum: 0x16dd2 should be: 0xb4672

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01593BDA FindFirstFileW,CreateFileW,GetFileSize,ReadFile,CloseHandle,FindNextFileW,FindClose,CloseHandle,FindClose,1_2_01593BDA
Contains functionality to query local drivesShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01593901 GetLogicalDriveStringsW,RtlInitializeCriticalSection,GetDriveTypeW,wsprintfW,GetFileAttributesW,HeapCreate,RtlAllocateHeap,RtlInitializeCriticalSection,WaitForMultipleObjects,CloseHandle,HeapDestroy,CreateFileW,WriteFile,CloseHandle,1_2_01593901
Enumerates the file systemShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\Local
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\svchost.exeDirectory queried: number of queries: 1002

System Summary:

barindex
PE file contains a debug data directoryShow sources
Source: initial sampleStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: yuretor.pdb source: downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015941C0 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,CloseHandle,1_2_015941C0
Contains functionality to enum processes or threadsShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01593DBC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_01593DBC
Creates files inside the program directoryShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile created: C:\ProgramData\Adobe\hygrtse
Creates files inside the user directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\admin\Documents\Decrypt-All-Files-dzwyyul.txt
Creates temporary filesShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeFile created: C:\Users\admin\AppData\Local\Temp\inbdgml.exe
PE file has an executable .text section and no other executable sectionShow sources
Source: initial sampleStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Windows\System32\svchost.exeFile read: C:\$Recycle.Bin\S-1-5-18\desktop.ini
Spawns processesShow sources
Source: unknownProcess created: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe
Source: unknownProcess created: C:\Users\admin\AppData\Local\Temp\inbdgml.exe
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe
Source: unknownProcess created: C:\Users\admin\AppData\Local\Temp\inbdgml.exe
Source: unknownProcess created: C:\Windows\System32\slui.exe
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows all
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess created: C:\Users\admin\AppData\Local\Temp\inbdgml.exe C:\Users\admin\AppData\Local\Temp\inbdgml.exe -u
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\slui.exe C:\Windows\System32\slui.exe -Embedding
Uses an in-process (OLE) Automation serverShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Writes ini filesShow sources
Source: C:\Windows\System32\svchost.exeFile written: C:\$Recycle.Bin\S-1-5-18\desktop.ini
Contains functionality to launch a process as a different userShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0159453A Sleep,DuplicateTokenEx,GetModuleFileNameW,wsprintfW,CreateProcessAsUserW,1_2_0159453A
Creates files inside the system directoryShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012015012920150130\
Creates mutexesShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMutant created: \BaseNamedObjects\riquinfqlgkboi
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMutant created: \Sessions\1\BaseNamedObjects\riquinfqlgkboi
PE file contains strange resourcesShow sources
Source: initial sampleStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0155811C GetModuleHandleW,OpenMutexW,ExitProcess,CreateMutexW,SHGetFolderPathW,GetModuleFileNameW,GetTempPathW,GetTickCount,CreateFileW,WriteFile,CloseHandle,ShellExecuteW,CloseHandle,Sleep,RegCloseKey,RegCloseKey,GetCurrentThread,SetThreadPriority,InitializeSecurityDescriptor,AllocateAndInitializeSid,GetLengthSid,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,CreateDirectoryW,CreateFileW,CloseHandle,CreateThread,Sleep,CreateThread,GetVersion,FindWindowExW,CloseHandle,FindWindowW,SendMessageW,DeleteFileW,1_2_0155811C
Contains functionality to create a new security descriptorShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0155811C GetModuleHandleW,OpenMutexW,ExitProcess,CreateMutexW,SHGetFolderPathW,GetModuleFileNameW,GetTempPathW,GetTickCount,CreateFileW,WriteFile,CloseHandle,ShellExecuteW,CloseHandle,Sleep,RegCloseKey,RegCloseKey,GetCurrentThread,SetThreadPriority,InitializeSecurityDescriptor,AllocateAndInitializeSid,GetLengthSid,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,CreateDirectoryW,CreateFileW,CloseHandle,CreateThread,Sleep,CreateThread,GetVersion,FindWindowExW,CloseHandle,FindWindowW,SendMessageW,DeleteFileW,1_2_0155811C
Allocates memory in foreign processesShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory allocated: C:\Windows\System32\svchost.exe base: 3E0000 protect: page read and write
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory allocated: C:\Windows\explorer.exe base: 1E00000 protect: page read and write
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\System32\svchost.exe base: 3E0000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\System32\svchost.exe base: 3E0000 protect: page read and write
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\System32\svchost.exe base: 3E0000 protect: page execute read
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\explorer.exe base: 1E00000 protect: page execute and read and write
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\explorer.exe base: 1E00000 protect: page read and write
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory protected: C:\Windows\explorer.exe base: 1E00000 protect: page execute read
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeThreat created: C:\Windows\System32\svchost.exe EIP: 3E57D3
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeThreat created: C:\Windows\explorer.exe EIP: 1E057D3
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory written: PID: 1260 base: 1E00000 value: 70
Writes to foreign memory regionsShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory written: C:\Windows\System32\svchost.exe base: 3E0000
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeMemory written: C:\Windows\explorer.exe base: 1E00000

Anti Debugging and Sandbox Evasion:

barindex
Contains functionality to query system informationShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015A38FB GetSystemInfo,1_2_015A38FB
Contains functionality to register its own exception handlerShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0150A1D3 SetUnhandledExceptionFilter,1_2_0150A1D3
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01531588 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01531588
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015153EA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_015153EA
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeCode function: 13_2_014BA1D3 SetUnhandledExceptionFilter,13_2_014BA1D3
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeCode function: 13_2_014C53EA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_014C53EA
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeCode function: 13_2_014E1588 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_014E1588
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeSystem information queried: KernelDebuggerInformation
Checks the free space of harddrivesShow sources
Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01531588 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_01531588
Contains functionality to dynamically determine API callsShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015921ED GetUserGeoID,LoadLibraryA,GetProcAddress,GetDesktopWindow,GetDC,ReleaseDC,CreateIconFromResource,GetLastError,LoadCursorW,RegisterClassExW,1_2_015921ED
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0158E07D GetProcessHeap,RtlAllocateHeap,1_2_0158E07D
Enables debug privilegesShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess token adjusted: Debug
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exe TID: 3472Thread sleep time: -180000ms >= -60000ms
Source: C:\Windows\System32\svchost.exe TID: 3824Thread sleep time: -922337203685477ms >= -60000ms
Source: C:\Windows\explorer.exe TID: 1308Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\explorer.exe TID: 3776Thread sleep time: -922337203685477ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exe TID: 2244Thread sleep count: 107 > 100
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exe TID: 2244Thread sleep time: -107000ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exe TID: 1016Thread sleep time: -60000ms >= -60000ms
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exe TID: 1016Thread sleep time: -60000ms >= -60000ms
Source: C:\Windows\System32\slui.exe TID: 432Thread sleep time: -60000ms >= -60000ms

Virtual Machine Detection:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01593BDA FindFirstFileW,CreateFileW,GetFileSize,ReadFile,CloseHandle,FindNextFileW,FindClose,CloseHandle,FindClose,1_2_01593BDA
Contains functionality to query local drivesShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01593901 GetLogicalDriveStringsW,RtlInitializeCriticalSection,GetDriveTypeW,wsprintfW,GetFileAttributesW,HeapCreate,RtlAllocateHeap,RtlInitializeCriticalSection,WaitForMultipleObjects,CloseHandle,HeapDestroy,CreateFileW,WriteFile,CloseHandle,1_2_01593901
Contains functionality to query system informationShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015A38FB GetSystemInfo,1_2_015A38FB
Queries a list of all running processesShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeThread delayed: delay time: -180000
Enumerates the file systemShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\Local
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config\systemprofile\AppData
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeFile opened: C:\Windows\System32\config

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E643B LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_003E643B

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01550F55 GetSystemTimeAsFileTime,1_2_01550F55
Contains functionality to query the account / user nameShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_01592BA1 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoUninitialize,GetUserNameW,CoUninitialize,1_2_01592BA1
Contains functionality to query time zone informationShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_015E0E4D GetTimeZoneInformation,1_2_015E0E4D
Contains functionality to query windows versionShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeCode function: 1_2_0158ECC7 GetVersion,1_2_0158ECC7
Queries the cryptographic machine GUIDShow sources
Source: C:\downloaded.m-a-metare.fr-521bd488a5de44d84e9d145d3eb8a238.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of WindowsShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeRegistry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Queries the installation date of WindowsShow sources
Source: C:\Users\admin\AppData\Local\Temp\inbdgml.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\svchost.exeQeruies volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQeruies volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQeruies volume information: C:\ VolumeInformation
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [0040bc10h], bl and CTI: je 003E55E5h5_2_003E514D
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 003E557Ch5_2_003E514D
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-02h], 00000001h and CTI: jne 003E557Ch5_2_003E514D
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 003E55D7h5_2_003E514D
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-02h], bl and CTI: jne 003E55D7h5_2_003E514D
Source: C:\Windows\System32\svchost.exeCode function: 5_2_003E514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 003E55D7h5_2_003E514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E05142 GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [01e2bc10h], bl and CTI: je 01E055E5h6_2_01E05142
Source: C:\Windows\explorer.exeCode function: 6_2_01E05142 GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [eax], bl and CTI: jne 01E05530h6_2_01E05142
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [01e2bc10h], bl and CTI: je 01E055E5h6_2_01E0514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 01E0557Ch6_2_01E0514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-02h], 00000001h and CTI: jne 01E0557Ch6_2_01E0514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 01E055D7h6_2_01E0514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-02h], bl and CTI: jne 01E055D7h6_2_01E0514D
Source: C:\Windows\explorer.exeCode function: 6_2_01E0514D GetSystemTimeAsFileTime followed by cmp: cmp byte ptr [ebp-01h], bl and CTI: jne 01E055D7h6_2_01E0514D

Yara Overview

No Yara matches

Screenshot