Loading ...

Play interactive tourEdit tour

Analysis Report systemupdate_ProtectedAUS.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:934785
Start date:12.08.2019
Start time:21:25:35
Joe Sandbox Product:Cloud
Overall analysis duration:0h 8m 15s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:systemupdate_ProtectedAUS.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@5/5@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 3% (good quality ratio 2.2%)
  • Quality average: 59.7%
  • Quality standard deviation: 40.6%
HCA Information:
  • Successful, ratio: 79%
  • Number of executed functions: 96
  • Number of non-executed functions: 77
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, mscorsvw.exe
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
njRat
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementRegistry Run Keys / Startup Folder1Access Token Manipulation1Software Packing22Credential Dumping3System Time Discovery12Application Deployment SoftwareInput Capture1Data Encrypted1Uncommonly Used Port1
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection21Disabling Security Tools1Input Capture1Query Registry1Remote ServicesData from Local System2Exfiltration Over Other Network MediumStandard Cryptographic Protocol2
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionModify Registry1Credentials in Registry1Process Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingAccess Token Manipulation1Credentials in Files2Application Window Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection21Account ManipulationSecurity Software Discovery251Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDeobfuscate/Decode Files or Information1Brute ForceFile and Directory Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskObfuscated Files or Information3Two-Factor Authentication InterceptionSystem Information Discovery23Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\SysWOW64\taskeng.exevirustotal: Detection: 47%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: systemupdate_ProtectedAUS.exevirustotal: Detection: 47%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpackAvira: Label: TR/Dropper.Gen
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00401329 CryptAcquireContextA,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptGetHashParam,swprintf,swprintf,CryptDestroyHash,CryptReleaseContext,4_2_00401329
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004023A8 CLSIDFromString,CredEnumerateA,CryptUnprotectData,___from_strstr_to_strchr,_strstr,swprintf,swprintf,___from_strstr_to_strchr,GetLastError,AuditFree,GetLastError,4_2_004023A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004014AE CryptAcquireContextA,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptReleaseContext,4_2_004014AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00403678 CryptUnprotectData,GetLastError,4_2_00403678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00402884 CryptUnprotectData,GetLastError,4_2_00402884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00401CEA RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegCloseKey,CryptUnprotectData,swprintf,swprintf,WideCharToMultiByte,LocalFree,GetLastError,4_2_00401CEA

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.81:49163 -> 160.116.15.134:3361
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Source: unknownTCP traffic detected without corresponding DNS query: 160.116.15.134
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: COGENT-174-CogentCommunicationsUS COGENT-174-CogentCommunicationsUS
Found strings which match to known social media urlsShow sources
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: ERR%WindowsLive:name=*%http://hotmail.com9Software\ooVoo\Settings\UserUserQhttp://www.oovoo.com/?Encrypted PasswordPass equals www.hotmail.com (Hotmail)
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809478481.00370000.00000004.00000020.sdmpString found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook)
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: Yahoo equals www.yahoo.com (Yahoo)
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://Yahoo.com48nhH equals www.yahoo.com (Yahoo)
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://hotmail.com equals www.hotmail.com (Hotmail)
Source: vbc.exeString found in binary or memory: http://twitter.com/ equals www.twitter.com (Twitter)
Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmpString found in binary or memory: http://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmpString found in binary or memory: http://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.linkedin.com (Linkedin)
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmpString found in binary or memory: http://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.myspace.com (Myspace)
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmpString found in binary or memory: http://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.twitter.com (Twitter)
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmpString found in binary or memory: http://www.facebook.com/https://www.facebook.com/http://twitter.com/https://twitter.com/https://login.yahoo.com/config/loginhttps://pinterest.com/login/http://www.linkedin.com/https://my.screenname.aol.com/_cqr/login/login.psphttps://www.amazon.com/ap/signin/190-9059340-4656153https://signin.ebay.com/ws/ebayisapi.dllhttps://accounts.google.com/serviceloginhttps://www.google.com/accounts/serviceloginhttp://digg.comhttp://www.myspace.comhttps://myspace.comhttps://www.amazon.com/gp/css/homepage.htmlhttp://www.stumbleupon.com/sign_up.phphttp://slashdot.org/bookmark.plhttp://www.reddit.com/loginB equals www.yahoo.com (Yahoo)
Source: vbc.exeString found in binary or memory: http://www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: vbc.exeString found in binary or memory: http://www.myspace.com equals www.myspace.com (Myspace)
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exeString found in binary or memory: https://myspace.com equals www.myspace.com (Myspace)
Source: vbc.exeString found in binary or memory: https://twitter.com/ equals www.twitter.com (Twitter)
Source: vbc.exeString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: pwd%http://Paltalk.com/Software\Yahoo\Profiles!http://Yahoo.com equals www.yahoo.com (Yahoo)
Urls found in memory or binary dataShow sources
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://Paltalk.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://Paltalk.com/Software
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://Yahoo.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://Yahoo.com48nhH
Source: vbc.exeString found in binary or memory: http://digg.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://hotmail.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://hotmail.com9Software
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://no-ip.com
Source: systemupdate_ProtectedAUS.exeString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: vbc.exe, vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmpString found in binary or memory: http://securityxploded.com/browser-password-dump.php
Source: vbc.exeString found in binary or memory: http://slashdot.org/bookmark.pl
Source: vbc.exeString found in binary or memory: http://twitter.com/
Source: vbc.exe, vbc.exe, 00000004.00000002.14657959113.00321000.00000004.00000020.sdmp, 4371570.4.drString found in binary or memory: http://www.SecurityXploded.com
Source: vbc.exeString found in binary or memory: http://www.linkedin.com/
Source: vbc.exeString found in binary or memory: http://www.myspace.com
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://www.noip.com/
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpString found in binary or memory: http://www.oovoo.com/?Encrypted
Source: vbc.exeString found in binary or memory: http://www.reddit.com/login
Source: vbc.exeString found in binary or memory: http://www.stumbleupon.com/sign_up.php
Source: vbc.exeString found in binary or memory: https://accounts.google.com/servicelogin
Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
Source: vbc.exeString found in binary or memory: https://my.screenname.aol.com/_cqr/login/login.psp
Source: vbc.exeString found in binary or memory: https://myspace.com
Source: vbc.exeString found in binary or memory: https://pinterest.com/login/
Source: vbc.exeString found in binary or memory: https://signin.ebay.com/ws/ebayisapi.dll
Source: vbc.exeString found in binary or memory: https://twitter.com/
Source: vbc.exeString found in binary or memory: https://www.amazon.com/ap/signin/190-9059340-4656153
Source: vbc.exeString found in binary or memory: https://www.amazon.com/gp/css/homepage.html
Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to log keystrokes (.Net Source)Show sources
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, j/kl.cs.Net Code: VKCodeToUnicode
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, j/kl.cs.Net Code: VKCodeToUnicode

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects hacktools by SecurityXploded
Source: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects hacktools by SecurityXploded
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPEMatched rule: Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPEMatched rule: Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects hacktools by SecurityXploded
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects hacktools by SecurityXploded
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects hacktools by SecurityXploded
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects hacktools by SecurityXploded
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_00551C04 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,1_2_00551C04
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_005500AD NtOpenSection,NtMapViewOfSection,1_2_005500AD
Creates mutexesShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeMutant created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_002
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeMutant created: \Sessions\1\BaseNamedObjects\Client.exe
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001A60131_2_001A6013
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001AC8381_2_001AC838
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001A89581_2_001A8958
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001AB2101_2_001AB210
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001A7DFA1_2_001A7DFA
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001AD6D81_2_001AD6D8
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001A97E81_2_001A97E8
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001A60A31_2_001A60A3
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001A60E31_2_001A60E3
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001A62321_2_001A6232
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001A635E1_2_001A635E
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_006822A71_2_006822A7
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 2_2_003C60582_2_003C6058
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 2_2_003CCCD02_2_003CCCD0
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 2_2_003C79D82_2_003C79D8
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 2_2_003C57682_2_003C5768
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 2_2_003C1B402_2_003C1B40
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 2_2_003C0FEA2_2_003C0FEA
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 2_2_003C54182_2_003C5418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004491824_2_00449182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00440CD74_2_00440CD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004080C84_2_004080C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0045008C4_2_0045008C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004091014_2_00409101
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0044A2484_2_0044A248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004312234_2_00431223
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004392D44_2_004392D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0042B3864_2_0042B386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0044B3BE4_2_0044B3BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004354604_2_00435460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004325134_2_00432513
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004505FC4_2_004505FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0043F6404_2_0043F640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0042D61C4_2_0042D61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0042170A4_2_0042170A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0044A73C4_2_0044A73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041C8D54_2_0041C8D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004388E74_2_004388E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0040494F4_2_0040494F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0044AB544_2_0044AB54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00451B7C4_2_00451B7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0044FB1C4_2_0044FB1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00404BBF4_2_00404BBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041EC164_2_0041EC16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00404CCC4_2_00404CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00450D784_2_00450D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041ADF64_2_0041ADF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00404F444_2_00404F44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0044AF894_2_0044AF89
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 00408E3D appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 00444860 appears 48 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 004097AF appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 0040970D appears 102 times
Sample file is different than original file name gathered from version infoShow sources
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810024483.0113C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuTorrent.exe@ vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809420023.00320000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemaqUVPsBdw.exe4 vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809365509.002E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameqbPoogbjlb.dll4 vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809777836.007A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809478481.00370000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809115991.000E0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepw.dllL vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesHelper.exe< vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14813822585.00610000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14813436263.001E0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14816655264.03E20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000000.14553244545.0113C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuTorrent.exe@ vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814024137.00800000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814015368.007F0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs systemupdate_ProtectedAUS.exe
Source: systemupdate_ProtectedAUS.exeBinary or memory string: OriginalFilenameuTorrent.exe@ vs systemupdate_ProtectedAUS.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeFile read: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeSection loaded: ntdll.dllJump to behavior
Yara signature matchShow sources
Source: 00000002.00000002.14813731660.00402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000002.14810081002.01D40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000002.14811656068.04500000.00000004.00000001.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000002.14810211843.01DE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = https://creativecommons.org/licenses/by-nc/4.0/, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 00000004.00000002.14658008517.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: SecurityXploded_Producer_String_RID33B2 date = 2017-07-13 14:58:51, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000001.00000002.14809736152.00682000.00000040.00000001.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000001.00000002.14810167494.01DAD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1_RID3003 date = 2018-05-04 12:21:41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1 date = 2018-05-04, hash1 = 528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Winnti_Sample_May18_1_RID3003 date = 2018-05-04 12:21:41, author = Florian Roth, description = Detects malware sample from Burning Umbrella report - Generic Winnti Rule, reference = https://401trg.pw/burning-umbrella/, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c_RID2E71 date = 2018-02-08 11:14:41, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = https://creativecommons.org/licenses/by-nc/4.0/, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String_RID33B2 date = 2017-07-13 14:58:51, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String date = 2017-07-13, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = https://creativecommons.org/licenses/by-nc/4.0/, score = d57847db5458acabc87daee6f30173348ac5956eb25e6b845636e25f5a56ac59
Source: 4.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SecurityXploded_Producer_String_RID33B2 date = 2017-07-13 14:58:51, author = Florian Roth, description = Detects hacktools by SecurityXploded, reference = http://securityxploded.com/browser-password-dump.php, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
.NET source code contains many API calls related to securityShow sources
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, BotKillers.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, BotKillers.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, BotKillers.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, BotKillers.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, BotKillers.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, BotKillers.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@5/5@0/1
Contains functionality for error loggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0040AB07 GetTempPathW,GetTempPathA,_free,GetLastError,FormatMessageA,4_2_0040AB07
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00404399 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetEnvironmentVariableA,_wprintf,_wprintf,4_2_00404399
Contains functionality to check free disk spaceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0040AFF0 GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,4_2_0040AFF0
Contains functionality to instantiate COM classesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00401F3D RegOpenKeyExA,RegEnumValueA,RegEnumValueA,RegCloseKey,CoInitialize,CLSIDFromString,CLSIDFromString,CLSIDFromString,CoCreateInstance,_wcschr,__wcsnicmp,__wcsnicmp,CoUninitialize,4_2_00401F3D
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeFile created: C:\Users\user\SysWOW64Jump to behavior
Creates temporary filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\4371570Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: systemupdate_ProtectedAUS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
SQL strings found in memory and binary dataShow sources
Source: vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe, 00000004.00000002.14658008517.00400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exeBinary or memory string: select * from logins where blacklisted_by_user=0;
Source: vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exeBinary or memory string: select * from moz_logins;
Source: vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Sample is known by AntivirusShow sources
Source: systemupdate_ProtectedAUS.exevirustotal: Detection: 47%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe 'C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe'
Source: unknownProcess created: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' -f 'C:\Users\user\AppData\Local\Temp\4371570'
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess created: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' -f 'C:\Users\user\AppData\Local\Temp\4371570'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: systemupdate_ProtectedAUS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: systemupdate_ProtectedAUS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Super\Documents\visual studio 2013\Projects\pw plugin\WindowsApplication12\obj\Release\pw.pdb source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, j/OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, j/OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_0068973C push es; ret 1_2_00689818
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_00689287 push cs; ret 1_2_00689288
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_010F3A6D push 28060002h; retn 0002h1_2_010F3A72
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 2_2_010F3A6D push 28060002h; retn 0002h2_2_010F3A72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004448A5 push ecx; ret 4_2_004448B8
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 6.92696568298
Source: initial sampleStatic PE information: section name: .text entropy: 6.92696568298

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeFile created: C:\Users\user\SysWOW64\taskeng.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows LoadJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Detected FrenchyShellcode packerShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeMutex created: \Sessions\1\BaseNamedObjects\frenchy_shellcode_002Jump to behavior
Stores large binary data to the registryShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeKey value created or modified: HKEY_CURRENT_USER\Software\Client.exe 96bbeae23f13d8b402340f54c661c049Jump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810081002.01D40000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810081002.01D40000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL5SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809420023.00320000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLKSOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\LOAD
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeWindow / User API: threadDelayed 5505Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeWindow / User API: threadDelayed 515Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_4-43540
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe TID: 3012Thread sleep time: -85000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe TID: 3100Thread sleep time: -780000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe TID: 3272Thread sleep time: -60000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeLast function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0040B148 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 0040B197h4_2_0040B148
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810081002.01D40000.00000004.00000001.sdmpBinary or memory string: VMware
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14813731660.00402000.00000040.00000001.sdmpBinary or memory string: VBoxServiceM{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}
Source: systemupdate_ProtectedAUS.exeBinary or memory string: VBoxService
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14809420023.00320000.00000004.00000001.sdmpBinary or memory string: VMwareVBOX
Program exit pointsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI call chain: ExitProcess graph end nodegraph_4-44485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI call chain: ExitProcess graph end nodegraph_4-43541
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_001ADC28 CheckRemoteDebuggerPresent,1_2_001ADC28
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess queried: DebugPortJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004400AC IsDebuggerPresent,4_2_004400AC
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0044C259 RtlEncodePointer,RtlEncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,74ECFFF6,RtlEncodePointer,74ECFFF6,RtlEncodePointer,74ECFFF6,RtlEncodePointer,74ECFFF6,RtlEncodePointer,74ECFFF6,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_0044C259
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_005501CB mov eax, dword ptr fs:[00000030h]1_2_005501CB
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_005500AD mov ecx, dword ptr fs:[00000030h]1_2_005500AD
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeCode function: 1_2_005500AD mov eax, dword ptr fs:[00000030h]1_2_005500AD
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00443C67 GetProcessHeap,4_2_00443C67
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00447049 SetUnhandledExceptionFilter,4_2_00447049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0044706C SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0044706C
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functionsShow sources
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, j/OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, j/kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, j/OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, j/kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeSection loaded: unknown target pid: 3188 protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeThread register set: target process: 3188Jump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeThread register set: target process: 2440Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: systemupdate_ProtectedAUS.exe, 00000002.00000002.14814935251.01D94000.00000004.00000001.sdmpBinary or memory string: Program ManagerHDnh
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810041551.01140000.00000002.00000001.sdmp, systemupdate_ProtectedAUS.exe, 00000002.00000002.14814827949.01140000.00000002.00000001.sdmpBinary or memory string: Progman
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810041551.01140000.00000002.00000001.sdmp, systemupdate_ProtectedAUS.exe, 00000002.00000002.14814935251.01D94000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810041551.01140000.00000002.00000001.sdmp, systemupdate_ProtectedAUS.exe, 00000002.00000002.14814827949.01140000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: systemupdate_ProtectedAUS.exe, 00000001.00000002.14810081002.01D40000.00000004.00000001.sdmp, systemupdate_ProtectedAUS.exe, 00000002.00000002.14813731660.00402000.00000040.00000001.sdmpBinary or memory string: Shell_traywndyHKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
Source: systemupdate_ProtectedAUS.exe, systemupdate_ProtectedAUS.exe, 00000002.00000002.14814863883.01D40000.00000004.00000001.sdmpBinary or memory string: Shell_traywnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00441B9C cpuid 4_2_00441B9C
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeQueries volume information: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeQueries volume information: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00448F27 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,RtlQueryPerformanceCounter,4_2_00448F27
Contains functionality to query time zone informationShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004483A1 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,4_2_004483A1
Contains functionality to query windows versionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004041A8 _memset,GetVersionExA,FreeLibrary,4_2_004041A8
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Contains functionality to steal Internet Explorer form passwordsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: Software\Microsoft\Internet Explorer\IntelliForms\Storage24_2_00401F3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: Software\Microsoft\Internet Explorer\IntelliForms\Storage24_2_00401CEA
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\signons3.txtJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\signons.txtJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\cert8.dbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\signons2.txtJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\key3.dbJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles\22qkc0w7.default\secmod.dbJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Users\user\Desktop\systemupdate_ProtectedAUS.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior

Remote Access Functionality:

barindex
Detected njRatShow sources
Source: 1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack, j/OK.cs.Net Code: njRat config detected
Source: 2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack, j/OK.cs.Net Code: njRat config detected
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 934785 Sample: systemupdate_ProtectedAUS.exe Startdate: 12/08/2019 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for dropped file 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 6 other signatures 2->28 7 systemupdate_ProtectedAUS.exe 5 2->7         started        process3 file4 18 C:\Users\user\SysWOW64\taskeng.exe, PE32 7->18 dropped 30 Detected FrenchyShellcode packer 7->30 32 Creates an undocumented autostart registry key 7->32 34 Modifies the context of a thread in another process (thread injection) 7->34 36 2 other signatures 7->36 11 systemupdate_ProtectedAUS.exe 4 7->11         started        signatures5 process6 dnsIp7 20 160.116.15.134, 3361, 49163 COGENT-174-CogentCommunicationsUS South Africa 11->20 38 Tries to steal Instant Messenger accounts or passwords 11->38 40 Tries to harvest and steal ftp login credentials 11->40 42 Modifies the context of a thread in another process (thread injection) 11->42 15 vbc.exe 2 11->15         started        signatures8 44 Detected TCP or UDP traffic on non-standard ports 20->44 process9 signatures10 46 Contains functionality to steal Internet Explorer form passwords 15->46 48 Tries to harvest and steal browser information (history, passwords, etc) 15->48

Simulations

Behavior and APIs

TimeTypeDescription
21:26:34API Interceptor788x Sleep call for process: systemupdate_ProtectedAUS.exe modified
21:27:32API Interceptor3x Sleep call for process: vbc.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
systemupdate_ProtectedAUS.exe48%virustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\SysWOW64\taskeng.exe48%virustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpack100%AviraTR/Dropper.GenDownload File
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File
4.2.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1004669Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://no-ip.com0%virustotalBrowse
http://no-ip.com0%Avira URL Cloudsafe
http://Yahoo.com48nhH0%Avira URL Cloudsafe
http://hotmail.com9Software0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.14813731660.00402000.00000040.00000001.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
  • 0xac22:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00
  • 0xaa1c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xaa7c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xad5a:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
00000001.00000002.14810081002.01D40000.00000004.00000001.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
  • 0x5393e:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00
  • 0x53738:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0x53798:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0x53a76:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
00000001.00000002.14811656068.04500000.00000004.00000001.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
  • 0xae6a:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00
  • 0xac64:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xacc4:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xafa2:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
00000001.00000002.14810211843.01DE7000.00000004.00000001.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
  • 0xdb3a:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00
  • 0xd934:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xd994:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xdc72:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
00000004.00000002.14658008517.00400000.00000040.00000001.sdmpSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
  • 0x58ae0:$x1: http://securityxploded.com
00000004.00000002.14658008517.00400000.00000040.00000001.sdmpSecurityXploded_Producer_String_RID33B2Detects hacktools by SecurityXplodedFlorian Roth
  • 0x58ae0:$x1: http://securityxploded.com
00000001.00000002.14809736152.00682000.00000040.00000001.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
  • 0xac22:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00
  • 0xaa1c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xaa7c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xad5a:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
00000001.00000002.14810167494.01DAD000.00000004.00000001.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
  • 0x358ee:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00
  • 0x356e8:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0x35748:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0x35a26:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00

Unpacked PEs

SourceRuleDescriptionAuthorStrings
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
  • 0xaf5a:$x1: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00 \x00"\x00
  • 0xac62:$s3: E\x00x\x00e\x00c\x00u\x00t\x00e\x00d\x00 \x00A\x00s\x00 \x00
  • 0x90e7:$s5: Stub.exe
  • 0xac40:$s6: D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xab7e:$s7: s\x00h\x00u\x00t\x00d\x00o\x00w\x00n\x00 \x00-\x00r\x00 \x00-\x00t\x00 \x000\x000\x00
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpackMAL_Winnti_Sample_May18_1Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
  • 0x9e8e:$s1: w\x00i\x00r\x00e\x00s\x00h\x00a\x00r\x00k\x00
  • 0x9e58:$s2: p\x00r\x00o\x00c\x00e\x00x\x00p\x00
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpackMAL_Winnti_Sample_May18_1_RID3003Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
  • 0x9e8e:$s1: w\x00i\x00r\x00e\x00s\x00h\x00a\x00r\x00k\x00
  • 0x9e58:$s2: p\x00r\x00o\x00c\x00e\x00x\x00p\x00
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpackCN_disclosed_20180208_c_RID2E71Detects malware from disclosed CN malware setFlorian Roth
  • 0xaf5a:$x1: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00 \x00"\x00
  • 0xac62:$s3: E\x00x\x00e\x00c\x00u\x00t\x00e\x00d\x00 \x00A\x00s\x00 \x00
  • 0x90e7:$s5: Stub.exe
  • 0xac40:$s6: D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xab7e:$s7: s\x00h\x00u\x00t\x00d\x00o\x00w\x00n\x00 \x00-\x00r\x00 \x00-\x00t\x00 \x000\x000\x00
1.2.systemupdate_ProtectedAUS.exe.680000.6.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
  • 0xae22:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00
  • 0xac1c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xac7c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xaf5a:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
  • 0xaf5a:$x1: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00 \x00"\x00
  • 0xac62:$s3: E\x00x\x00e\x00c\x00u\x00t\x00e\x00d\x00 \x00A\x00s\x00 \x00
  • 0x90e7:$s5: Stub.exe
  • 0xac40:$s6: D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xab7e:$s7: s\x00h\x00u\x00t\x00d\x00o\x00w\x00n\x00 \x00-\x00r\x00 \x00-\x00t\x00 \x000\x000\x00
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpackMAL_Winnti_Sample_May18_1Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
  • 0x9e8e:$s1: w\x00i\x00r\x00e\x00s\x00h\x00a\x00r\x00k\x00
  • 0x9e58:$s2: p\x00r\x00o\x00c\x00e\x00x\x00p\x00
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpackMAL_Winnti_Sample_May18_1_RID3003Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
  • 0x9e8e:$s1: w\x00i\x00r\x00e\x00s\x00h\x00a\x00r\x00k\x00
  • 0x9e58:$s2: p\x00r\x00o\x00c\x00e\x00x\x00p\x00
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpackCN_disclosed_20180208_c_RID2E71Detects malware from disclosed CN malware setFlorian Roth
  • 0xaf5a:$x1: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00 \x00"\x00
  • 0xac62:$s3: E\x00x\x00e\x00c\x00u\x00t\x00e\x00d\x00 \x00A\x00s\x00 \x00
  • 0x90e7:$s5: Stub.exe
  • 0xac40:$s6: D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xab7e:$s7: s\x00h\x00u\x00t\x00d\x00o\x00w\x00n\x00 \x00-\x00r\x00 \x00-\x00t\x00 \x000\x000\x00
2.2.systemupdate_ProtectedAUS.exe.400000.1.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
  • 0xae22:$reg: S\x00E\x00E\x00_\x00M\x00A\x00S\x00K\x00_\x00N\x00O\x00Z\x00O\x00N\x00E\x00C\x00H\x00E\x00C\x00K\x00S\x00
  • 0xac1c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xac7c:$msg: E\x00x\x00e\x00c\x00u\x00t\x00e\x00 \x00E\x00R\x00R\x00O\x00R\x00
  • 0xaf5a:$ping: c\x00m\x00d\x00.\x00e\x00x\x00e\x00 \x00/\x00c\x00 \x00p\x00i\x00n\x00g\x00 \x000\x00 \x00-\x00n\x00 \x002\x00 \x00&\x00 \x00d\x00e\x00l\x00
4.2.vbc.exe.400000.1.raw.unpackSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
  • 0x58ae0:$x1: http://securityxploded.com
4.2.vbc.exe.400000.1.raw.unpackSecurityXploded_Producer_String_RID33B2Detects hacktools by SecurityXplodedFlorian Roth
  • 0x58ae0:$x1: http://securityxploded.com
4.2.vbc.exe.400000.1.unpackSecurityXploded_Producer_StringDetects hacktools by SecurityXplodedFlorian Roth
  • 0x58ae0:$x1: http://securityxploded.com
4.2.vbc.exe.400000.1.unpackSecurityXploded_Producer_String_RID33B2Detects hacktools by SecurityXplodedFlorian Roth
  • 0x58ae0:$x1: http://securityxploded.com

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
COGENT-174-CogentCommunicationsUS61redacted@threatwav.exeGet hashmaliciousBrowse
  • 38.118.12.3
51mai.exeGet hashmaliciousBrowse
  • 192.246.84.2
48Transcrip.exeGet hashmaliciousBrowse
  • 38.118.12.3
Mo2spc6bT8.dllGet hashmaliciousBrowse
  • 206.3.192.64
Quote_Pdf.vbsGet hashmaliciousBrowse
  • 172.81.178.93
65eqgdz.exeGet hashmaliciousBrowse
  • 192.246.84.2
45LETTER.EXEGet hashmaliciousBrowse
  • 38.118.12.3
hakai.x86_64Get hashmaliciousBrowse
  • 38.212.25.216
Wannacr.exeGet hashmaliciousBrowse
  • 149.2.27.53
7messag.exeGet hashmaliciousBrowse
  • 192.246.84.2
3transcript.exeGet hashmaliciousBrowse
  • 38.118.12.3
430#U0437.jsGet hashmaliciousBrowse
  • 76.73.17.194
430#U0437.jsGet hashmaliciousBrowse
  • 76.73.17.194
430#U0437.jsGet hashmaliciousBrowse
  • 76.73.17.194
430#U0437.jsGet hashmaliciousBrowse
  • 76.73.17.194
430#U0437.jsGet hashmaliciousBrowse
  • 76.73.17.194
.exeGet hashmaliciousBrowse
  • 154.61.81.54
430#U0437.jsGet hashmaliciousBrowse
  • 76.73.17.194
430#U0437.jsGet hashmaliciousBrowse
  • 76.73.17.194
13Mai.exeGet hashmaliciousBrowse
  • 149.122.186.39

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.