Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:50649
Start time:22:25:38
Joe Sandbox Product:Cloud
Start date:19.03.2018
Overall analysis duration:0h 14m 45s
Hypervisor based Inspection enabled:true
Report type:full
Sample file name:govrat.exe
Cookbook file name:default.jbs
Analysis system description:W7x64 Native with HVM (patch level Feb 2018, Office 2016, Java 1.8.0_161, Flash 28, Acrobat Reader DC 18, Internet Explorer 11, Chrome 64, Firefox 58)
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.evad.winEXE@5/2@0/1
HCA Information:Failed
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Adjusted system time to: 10/10/2017
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): mscorsvw.exe, WmiPrvSE.exe, sppsvc.exe, devmonsrv.exe, mediasrv.exe, jhi_service.exe, IntelMeFWService.exe, obexsrv.exe, LMS.exe, dllhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold560 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Networking:

barindex
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /index.html HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Content-Length: 440Host: 192.243.101.124
Source: global trafficHTTP traffic detected: POST /index.html HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Content-Length: 32Host: 192.243.101.124
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /index.html HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Content-Length: 440Host: 192.243.101.124
Urls found in memory or binary dataShow sources
Source: explorer.exeString found in binary or memory: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/ASC.exellQ
Source: explorer.exeString found in binary or memory: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/ASC.exewlP
Source: explorer.exeString found in binary or memory: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/ASC.exeznX
Source: govrat.exeString found in binary or memory: http://%S
Source: govrat.exeString found in binary or memory: http://192.243.101.124/index.html
Source: govrat.exeString found in binary or memory: http://192.243.101.124/index.htmlZZ)
Source: govrat.exeString found in binary or memory: http://192.243.101.124e:
Source: govrat.exe, ASC.exe.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: govrat.exe, ASC.exe.1.drString found in binary or memory: http://t2.symcb.com0
Source: govrat.exe, ASC.exe.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: govrat.exe, ASC.exe.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: govrat.exe, ASC.exe.1.drString found in binary or memory: http://tl.symcd.com0&
Source: explorer.exeString found in binary or memory: http://www.%s.comPA
Source: govrat.exe, ASC.exe.1.drString found in binary or memory: https://www.thawte.com/cps0/
Source: govrat.exe, ASC.exe.1.drString found in binary or memory: https://www.thawte.com/repository0W

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\govrat.exeFile created: C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ASC.exeJump to dropped file

Data Obfuscation:

barindex
Sample is protected by VMProtectShow sources
Source: govrat.exeStatic PE information: Section: .vmp1 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ASC.exe.1.drStatic PE information: Section: .vmp1 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Entry point lies outside standard sectionsShow sources
Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
PE file contains sections with non-standard namesShow sources
Source: govrat.exeStatic PE information: section name: .vmp0
Source: govrat.exeStatic PE information: section name: .vmp1
Source: ASC.exe.1.drStatic PE information: section name: .vmp0
Source: ASC.exe.1.drStatic PE information: section name: .vmp1
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0098C272 push edi; ret 1_2_00A13AA9
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_009793A1 push edi; ret 1_2_009793AD
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0097B969 push edi; ret 1_2_0097B96A
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00985056 push edi; ret 1_2_009D5A71
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0098B0D1 push edi; ret 1_2_009D404F
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00988D9E push edi; ret 1_2_00988D9F
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0097D79A push edi; ret 1_2_00A168D4
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0097D711 push edi; ret 1_2_00A0B8EA
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_009805CE push edi; ret 1_2_009805E4
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_009802DE push edi; ret 1_2_009A0EEB
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00977DA3 push edi; ret 1_2_009CDFD4
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_009852AF push edi; ret 1_2_009852B0
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_009814F4 push edi; ret 1_2_009DBD75
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0097B278 push edi; ret 1_2_009B9A2F
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_009580A5 push ecx; ret 1_2_009580B8
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0098B5E4 push edi; ret 1_2_009BF3FE
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0097A9B7 push edi; ret 1_2_0097A9B8
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0097AC17 push edi; ret 1_2_009B4D65
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0098AE5D push edi; ret 1_2_009DAA7F
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0097E453 push edi; ret 1_2_009BD6B9
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0097FD03 push edi; ret 1_2_0097FD04
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00978BE0 push edi; ret 1_2_009B02B9
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00985D50 push edi; ret 1_2_00985D6B
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00984432 push edi; ret 1_2_009C3C86
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00979733 push edi; ret 1_2_009AF6C2
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0098360A push edi; ret 1_2_009F21C4
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0098C32A push edi; ret 1_2_009F7EA7
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0097808D push edi; ret 1_2_009EA573
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0097C3A0 push edi; ret 1_2_0097C3A1
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0097A11B push edi; ret 1_2_0097A11C
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00986FCD push edi; ret 1_2_00986FCE
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .vmp1 entropy: 7.94598915032
Source: initial sampleStatic PE information: section name: .vmp1 entropy: 7.94598915032

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00960762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,1_2_00960762
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012D0762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,5_2_012D0762

System Summary:

barindex
Detected Hacking Team Remote Control System (RCS) spywareShow sources
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0095FE2E GetProcAddress,GetProcAddress,GetProcAddress,K32EnumDeviceDrivers,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,__wcsicoll,1_2_0095FE2E
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)Show sources
Source: C:\Users\user\Desktop\govrat.exeMemory allocated: 772C0000 page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\govrat.exeMemory allocated: 771C0000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 772C0000 page execute and read and writeJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 771C0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeMemory allocated: 772C0000 page execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeMemory allocated: 771C0000 page execute and read and writeJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_009641C31_2_009641C3
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_009660001_2_00966000
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_009565021_2_00956502
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0095FB7F1_2_0095FB7F
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0096A7801_2_0096A780
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0096AE5C1_2_0096AE5C
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00966EED1_2_00966EED
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0096A22F1_2_0096A22F
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_0096BB941_2_0096BB94
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00969CDE1_2_00969CDE
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00967EA61_2_00967EA6
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_1_00AC01CE1_1_00AC01CE
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_1_00ABFE671_1_00ABFE67
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012DBB945_2_012DBB94
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012D41C35_2_012D41C3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012D7EA65_2_012D7EA6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012DA7805_2_012DA780
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012D9CDE5_2_012D9CDE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012D60005_2_012D6000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012C65025_2_012C6502
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012CFB7F5_2_012CFB7F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012DA22F5_2_012DA22F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012DAE5C5_2_012DAE5C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012D6EED5_2_012D6EED
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_1_014301CE5_1_014301CE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_1_0142FE675_1_0142FE67
PE file contains strange resourcesShow sources
Source: govrat.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ASC.exe.1.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: govrat.exeBinary or memory string: OriginalFilenamewow64.dllj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamewow64lg2.dllj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamewow64cpu.dllj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameKernelbasej% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamewinsrv.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameWinInit.exe.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameuser32j% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameservices.exe.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamelsasrv.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamesvchost.exe.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamewship6.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamewshqos.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenametzres.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamesppsvc.exe.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameInput.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameTipTsf.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameSpTip.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameTableTextService.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamegpsvc.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameaero.msstyles.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenametaskcomp.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamespoolsv.exe.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameBFE.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenametaskhost.exe.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: originalfilename vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamej% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamesnmptrap.exe.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamelmhsvc.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamedwm.exe.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamedhcpcore.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamesstpsvc.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamelocalspl.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenametaskeng.exe.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameWsdMon.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamevsstrace.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamenetprofm.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameesrb.dll.muiH vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamestobject.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamerasdlg.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameAltTab.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamewscui.cpl.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenametquery.dll.mui@ vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameMsMpRes.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenametwext.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamempr.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameschedsvc.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameFDResPub.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameFunDisc.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamerpcrt4.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameFDPrint.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameimageres.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameMSHTML.DLL.MUID vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameSHSVCS.DLL.MUIj% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenametaskmgr.exe.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameSndVolSSO.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenamewin32spl.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameinetpp.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameadvapi32.dll.muij% vs govrat.exe
Source: govrat.exeBinary or memory string: OriginalFilenameprovsvc.dll.muij% vs govrat.exe
Classification labelShow sources
Source: classification engineClassification label: mal56.evad.winEXE@5/2@0/1
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_009641C3 GetProcAddress,GetDiskFreeSpaceExW,1_2_009641C3
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\govrat.exeString freed: SELECT * FROM Win32_ProcessorJump to behavior
Source: C:\Users\user\Desktop\govrat.exeString freed: SELECT * FROM Win32_ProcessorJump to behavior
Source: C:\Users\user\Desktop\govrat.exeString freed: SELECT * FROM Win32_ProcessorJump to behavior
Source: C:\Users\user\Desktop\govrat.exeString freed: SELECT * FROM Win32_ProcessorJump to behavior
Source: C:\Users\user\Desktop\govrat.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\govrat.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\govrat.exeKey opened: HKEY_USERS\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\govrat.exe 'C:\Users\user\Desktop\govrat.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe'
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\govrat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AD05575-8857-4850-9277-11B85BDB8E09}\InProcServer32Jump to behavior
PE file has a valid certificateShow sources
Source: govrat.exeStatic PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: govrat.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: wow64win.pdb source: govrat.exe, explorer.exe, ASC.exe
Source: Binary string: wow64cpu.pdb source: govrat.exe, explorer.exe, ASC.exe
Source: Binary string: wow64.pdbH source: govrat.exe, explorer.exe, ASC.exe
Source: Binary string: wow64win.pdbH source: govrat.exe, explorer.exe, ASC.exe
Source: Binary string: wow64.pdb source: govrat.exe, explorer.exe, ASC.exe

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: ASC.exeBinary or memory string: Progman
Source: ASC.exeBinary or memory string: Program Manager
Source: ASC.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_appdata_roaming_microsoft_windows_start_menu_programs_startup_1a6465368f7d89b6.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\govrat.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00982D1B rdtsc 1_2_00982D1B

Malware Analysis System Evasion:

barindex
Found stalling execution ending in API Sleep callShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeStalling execution: Execution stalls by calling Sleepgraph_5-20250
Source: C:\Users\user\Desktop\govrat.exeStalling execution: Execution stalls by calling Sleepgraph_1-21009
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00982D1B rdtsc 1_2_00982D1B
Contains functionality to enumerate device driversShow sources
Source: C:\Users\user\Desktop\govrat.exeCode function: GetProcAddress,GetProcAddress,GetProcAddress,K32EnumDeviceDrivers,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,__wcsicoll,1_2_0095FE2E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: GetProcAddress,GetProcAddress,GetProcAddress,K32EnumDeviceDrivers,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,__wcsicoll,5_2_012CFE2E
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\govrat.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Is looking for software installed on the systemShow sources
Source: C:\Users\user\Desktop\govrat.exeRegistry key enumerated: More than 124 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\SysWOW64\explorer.exe TID: 1216Thread sleep time: -60000s >= -60000sJump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3868Thread sleep time: -60000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3904Thread sleep time: -60000s >= -60000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\govrat.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00960762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,1_2_00960762
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeCode function: 5_2_012D0762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,5_2_012D0762
Program exit pointsShow sources
Source: C:\Users\user\Desktop\govrat.exeAPI call chain: ExitProcess graph end nodegraph_1-20536
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeAPI call chain: ExitProcess graph end nodegraph_5-20089
Queries a list of all running driversShow sources
Source: C:\Users\user\Desktop\govrat.exeSystem information queried: ModuleInformationJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\govrat.exeCode function: 1_2_00965B62 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00965B62
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\govrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\govrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\govrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\govrat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\govrat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 50649 Sample: govrat.exe Startdate: 19/03/2018 Architecture: WINDOWS Score: 56 21 Sample is protected by VMProtect 2->21 23 Found stalling execution ending in API Sleep call 2->23 6 govrat.exe 1 2->6         started        11 explorer.exe 2->11         started        13 explorer.exe 1 2->13         started        process3 dnsIp4 19 192.243.101.124, 49177, 80 TIP-NETWORKS-INC-TIPNetworksIncUS United States 6->19 17 C:\Users\user\AppData\Roaming\...\ASC.exe, PE32 6->17 dropped 25 Detected Hacking Team Remote Control System (RCS) spyware 6->25 27 Found stalling execution ending in API Sleep call 6->27 15 ASC.exe 11->15         started        file5 signatures6 process7

Simulations

Behavior and APIs

TimeTypeDescription
22:26:22API Interceptor43x Sleep call for process: govrat.exe modified
22:26:40AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe
22:26:41API Interceptor7x Sleep call for process: explorer.exe modified
22:26:47API Interceptor1x Sleep call for process: ASC.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots