Loading ...

Play interactive tourEdit tour

Analysis Report 9fERLFJPjq.exe

Overview

General Information

Sample Name:9fERLFJPjq.exe
Analysis ID:1274527
MD5:ddd60e9ae362def377aa70d414ed374d
SHA1:ad33d0ff9adc122776771d51743ca855cd882b4d
SHA256:71b4a68d77929e2815ad7496882fce6c96c677fc154786621943fb90755477b3

Most interesting Screenshot:

Detection

DarkComet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected DarkComet
Yara detected Generic Dropper
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops VBS files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Potential malicious VBS script found (suspicious strings)
Tries to detect virtualization through RDTSC time measurements
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64_office
  • 9fERLFJPjq.exe (PID: 6088 cmdline: 'C:\Users\user\Desktop\9fERLFJPjq.exe' MD5: DDD60E9AE362DEF377AA70D414ED374D)
    • 9fERLFJPjq.exe (PID: 5844 cmdline: 'C:\Users\user\Desktop\9fERLFJPjq.exe' MD5: DDD60E9AE362DEF377AA70D414ED374D)
  • wscript.exe (PID: 368 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • enxavse.exe (PID: 880 cmdline: 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' MD5: D409D2D823F91A2DCC7EE6563B632BF3)
      • enxavse.exe (PID: 5520 cmdline: 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' MD5: D409D2D823F91A2DCC7EE6563B632BF3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.602074619.00000000006C1000.00000004.00000001.sdmpDarkComet_2DarkCometJean-Philippe Teissier / @Jipe_
  • 0xf08:$a: #BEGIN DARKCOMET DATA --
  • 0xfd0:$a: #BEGIN DARKCOMET DATA --
  • 0xf80:$b: #EOF DARKCOMET DATA --
  • 0xee7:$c: DC_MUTEX-
00000006.00000002.602017158.0000000000696000.00000004.00000001.sdmpDarkComet_2DarkCometJean-Philippe Teissier / @Jipe_
  • 0x6e8:$k2: #KCMDDC51#-890
00000006.00000002.601989587.0000000000668000.00000004.00000001.sdmpDarkComet_2DarkCometJean-Philippe Teissier / @Jipe_
  • 0x138:$a: #BEGIN DARKCOMET DATA --
  • 0x2b8:$a: #BEGIN DARKCOMET DATA --
  • 0x1c7:$b: #EOF DARKCOMET DATA --
  • 0x347:$b: #EOF DARKCOMET DATA --
  • 0x159:$c: DC_MUTEX-
  • 0x2d9:$c: DC_MUTEX-
00000006.00000002.602066507.00000000006BA000.00000004.00000001.sdmpDarkComet_2DarkCometJean-Philippe Teissier / @Jipe_
  • 0x928:$c: DC_MUTEX-
  • 0x9e8:$k2: #KCMDDC51#-890
0000000B.00000002.503082454.0000000000668000.00000004.00000001.sdmpDarkComet_2DarkCometJean-Philippe Teissier / @Jipe_
  • 0x138:$a: #BEGIN DARKCOMET DATA --
  • 0x2b8:$a: #BEGIN DARKCOMET DATA --
  • 0x1c7:$b: #EOF DARKCOMET DATA --
  • 0x347:$b: #EOF DARKCOMET DATA --
  • 0x159:$c: DC_MUTEX-
  • 0x2d9:$c: DC_MUTEX-
Click to see the 36 entries

Sigma Overview

System Summary:

barindex
Sigma detected: Drops script at startup locationShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\9fERLFJPjq.exe, ProcessId: 6088, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: 9fERLFJPjq.exeAvira: detected
Source: 9fERLFJPjq.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeAvira: detection malicious, Label: HEUR/AGEN.1112794
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeAvira: detection malicious, Label: HEUR/AGEN.1112794
Multi AV Scanner detection for domain / URLShow sources
Source: pownedfag.pwVirustotal: Detection: 8%Perma Link
Source: pownedfag.pwVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeVirustotal: Detection: 73%Perma Link
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeVirustotal: Detection: 73%Perma Link
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted fileShow sources
Source: 9fERLFJPjq.exeVirustotal: Detection: 74%Perma Link
Source: 9fERLFJPjq.exeMetadefender: Detection: 62%Perma Link
Source: 9fERLFJPjq.exeReversingLabs: Detection: 86%
Source: 9fERLFJPjq.exeVirustotal: Detection: 74%Perma Link
Source: 9fERLFJPjq.exeMetadefender: Detection: 62%Perma Link
Source: 9fERLFJPjq.exeReversingLabs: Detection: 86%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: 9fERLFJPjq.exeJoe Sandbox ML: detected
Source: 9fERLFJPjq.exeJoe Sandbox ML: detected
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: unknownDNS traffic detected: queries for: pownedfag.pw
Source: unknownDNS traffic detected: queries for: pownedfag.pw

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hookShow sources
Source: C:\Users\user\Desktop\9fERLFJPjq.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\9fERLFJPjq.exeJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\9fERLFJPjq.exeJump to behavior
Source: enxavse.exe, 00000008.00000002.500606567.000000000093A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: enxavse.exe, 00000008.00000002.500606567.000000000093A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: Yara matchFile source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY
Source: Yara matchFile source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000006.00000002.602074619.00000000006C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.602017158.0000000000696000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.601989587.0000000000668000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.602066507.00000000006BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503082454.0000000000668000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503148674.00000000006C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_4 Author: unknown
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_4 Author: unknown
Source: 0000000B.00000002.503141508.00000000006BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503100449.0000000000696000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: 9fERLFJPjq.exe PID: 5844, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: enxavse.exe PID: 5520, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.602074619.00000000006C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.602017158.0000000000696000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.601989587.0000000000668000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000006.00000002.602066507.00000000006BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503082454.0000000000668000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503148674.00000000006C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_4 Author: unknown
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_4 Author: unknown
Source: 0000000B.00000002.503141508.00000000006BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000002.503100449.0000000000696000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: 9fERLFJPjq.exe PID: 5844, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: enxavse.exe PID: 5520, type: MEMORYMatched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Yara detected DarkCometShow sources
Source: Yara matchFile source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY
Source: Yara matchFile source: Process Memory Space: enxavse.exe PID: 880, type: MEMORY
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Users\user\Desktop\9fERLFJPjq.exeDropped file: objShell.ShellExecute "C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe", "", "", "", 1Jump to dropped file
Source: C:\Users\user\Desktop\9fERLFJPjq.exeDropped file: objShell.ShellExecute "C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe", "", "", "", 1Jump to dropped file
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess token adjusted: Load DriverJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess token adjusted: Load DriverJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess token adjusted: SecurityJump to behavior
Source: 9fERLFJPjq.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9fERLFJPjq.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: enxavse.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: enxavse.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9fERLFJPjq.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9fERLFJPjq.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: enxavse.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: enxavse.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9fERLFJPjq.exe, 00000002.00000002.601937327.0000000000547000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameMSRSAAP.EXEV vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000002.00000002.602900469.00000000021D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000000.387200650.0000000000547000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000002.601302452.00000000001E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000002.603021982.0000000002450000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exeBinary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000002.00000002.601937327.0000000000547000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameMSRSAAP.EXEV vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000002.00000002.602900469.00000000021D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000000.387200650.0000000000547000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000002.601302452.00000000001E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exe, 00000006.00000002.603021982.0000000002450000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 9fERLFJPjq.exe
Source: 9fERLFJPjq.exeBinary or memory string: OriginalFilenameAmamau.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs 9fERLFJPjq.exe
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: 00000006.00000002.602074619.00000000006C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.602017158.0000000000696000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.601989587.0000000000668000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.602066507.00000000006BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503082454.0000000000668000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503148674.00000000006C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update_RID2DAD date = 2016-08-29 10:42:01, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 0000000B.00000002.503141508.00000000006BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503100449.0000000000696000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: 9fERLFJPjq.exe PID: 5844, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: enxavse.exe PID: 5520, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.602074619.00000000006C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.602017158.0000000000696000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.601989587.0000000000668000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000006.00000002.602066507.00000000006BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503082454.0000000000668000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503148674.00000000006C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update_RID2DAD date = 2016-08-29 10:42:01, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORYMatched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 0000000B.00000002.503141508.00000000006BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000000B.00000002.503100449.0000000000696000.00000004.00000001.sdmp, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: 9fERLFJPjq.exe PID: 5844, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORYMatched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: enxavse.exe PID: 880, type: MEMORYMatched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: enxavse.exe PID: 5520, type: MEMORYMatched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/2@349/0
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbsJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbsJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeMutant created: \Sessions\1\BaseNamedObjects\DC_MUTEX-HXSPSH8
Source: C:\Users\user\Desktop\9fERLFJPjq.exeMutant created: \Sessions\1\BaseNamedObjects\DC_MUTEX-HXSPSH8
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Local\Temp\ExjoaresJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Local\Temp\ExjoaresJump to behavior
Source: Yara matchFile source: 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, type: MEMORY
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs'
Source: 9fERLFJPjq.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 9fERLFJPjq.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\9fERLFJPjq.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 9fERLFJPjq.exeVirustotal: Detection: 74%
Source: 9fERLFJPjq.exeMetadefender: Detection: 62%
Source: 9fERLFJPjq.exeReversingLabs: Detection: 86%
Source: 9fERLFJPjq.exeVirustotal: Detection: 74%
Source: 9fERLFJPjq.exeMetadefender: Detection: 62%
Source: 9fERLFJPjq.exeReversingLabs: Detection: 86%
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile read: C:\Users\user\Desktop\9fERLFJPjq.exeJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile read: C:\Users\user\Desktop\9fERLFJPjq.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'
Source: unknownProcess created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' Jump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'
Source: unknownProcess created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe'
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 9fERLFJPjq.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 9fERLFJPjq.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 9fERLFJPjq.exeStatic file information: File size 1593344 > 1048576
Source: 9fERLFJPjq.exeStatic file information: File size 1593344 > 1048576
Source: 9fERLFJPjq.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13f000
Source: 9fERLFJPjq.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13f000
Source: enxavse.exe.2.drStatic PE information: real checksum: 0x191aaa should be: 0x191ac2
Source: 9fERLFJPjq.exeStatic PE information: real checksum: 0x191aaa should be: 0x191ab6
Source: enxavse.exe.2.drStatic PE information: real checksum: 0x191aaa should be: 0x191ac2
Source: 9fERLFJPjq.exeStatic PE information: real checksum: 0x191aaa should be: 0x191ab6
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeJump to dropped file
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeJump to dropped file

Boot Survival:

barindex
Drops VBS files to the startup folderShow sources
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbsJump to dropped file
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbsJump to dropped file
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbsJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbsJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbsJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enxavse.vbsJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
Source: C:\Users\user\Desktop\9fERLFJPjq.exeRDTSC instruction interceptor: First address: 000000000052B688 second address: 000000000052B6BD instructions: 0x00000000 rdtsc 0x00000002 test dh, 00000036h 0x00000005 paddd mm1, mm2 0x00000008 cmp bx, B97Fh 0x0000000d mov eax, esp 0x0000000f cmp cx, C32Fh 0x00000014 mov eax, dword ptr [eax+28h] 0x00000017 test ch, 00000071h 0x0000001a movd mm4, eax 0x0000001d test ch, 00000043h 0x00000020 pxor mm4, mm1 0x00000023 cmp ax, 0000DCD4h 0x00000027 movd ebx, mm4 0x0000002a test ch, 00000029h 0x0000002d cmp ebx, 636F6C6Ch 0x00000033 jne 00007F7368CE7B4Ah
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeRDTSC instruction interceptor: First address: 000000000052B688 second address: 000000000052B6BD instructions: 0x00000000 rdtsc 0x00000002 test dh, 00000036h 0x00000005 paddd mm1, mm2 0x00000008 cmp bx, B97Fh 0x0000000d mov eax, esp 0x0000000f cmp cx, C32Fh 0x00000014 mov eax, dword ptr [eax+28h] 0x00000017 test ch, 00000071h 0x0000001a movd mm4, eax 0x0000001d test ch, 00000043h 0x00000020 pxor mm4, mm1 0x00000023 cmp ax, 0000DCD4h 0x00000027 movd ebx, mm4 0x0000002a test ch, 00000029h 0x0000002d cmp ebx, 636F6C6Ch 0x00000033 jne 00007F73688EB32Ah
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\9fERLFJPjq.exeRDTSC instruction interceptor: First address: 000000000052B688 second address: 000000000052B6BD instructions: 0x00000000 rdtsc 0x00000002 test dh, 00000036h 0x00000005 paddd mm1, mm2 0x00000008 cmp bx, B97Fh 0x0000000d mov eax, esp 0x0000000f cmp cx, C32Fh 0x00000014 mov eax, dword ptr [eax+28h] 0x00000017 test ch, 00000071h 0x0000001a movd mm4, eax 0x0000001d test ch, 00000043h 0x00000020 pxor mm4, mm1 0x00000023 cmp ax, 0000DCD4h 0x00000027 movd ebx, mm4 0x0000002a test ch, 00000029h 0x0000002d cmp ebx, 636F6C6Ch 0x00000033 jne 00007F7368CE7B4Ah
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeRDTSC instruction interceptor: First address: 000000000052B688 second address: 000000000052B6BD instructions: 0x00000000 rdtsc 0x00000002 test dh, 00000036h 0x00000005 paddd mm1, mm2 0x00000008 cmp bx, B97Fh 0x0000000d mov eax, esp 0x0000000f cmp cx, C32Fh 0x00000014 mov eax, dword ptr [eax+28h] 0x00000017 test ch, 00000071h 0x0000001a movd mm4, eax 0x0000001d test ch, 00000043h 0x00000020 pxor mm4, mm1 0x00000023 cmp ax, 0000DCD4h 0x00000027 movd ebx, mm4 0x0000002a test ch, 00000029h 0x0000002d cmp ebx, 636F6C6Ch 0x00000033 jne 00007F73688EB32Ah
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe TID: 1820Thread sleep time: -63800s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe TID: 6076Thread sleep count: 67 > 30Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exe TID: 1820Thread sleep time: -63800s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe TID: 6076Thread sleep count: 67 > 30Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\9fERLFJPjq.exeLast function: Thread delayed
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' Jump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeProcess created: C:\Users\user\Desktop\9fERLFJPjq.exe 'C:\Users\user\Desktop\9fERLFJPjq.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeProcess created: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe 'C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exe' Jump to behavior
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh<
Source: 9fERLFJPjq.exe, 00000002.00000002.602698012.0000000000DC0000.00000002.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmpBinary or memory string: Program ManagerWv{
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Progman
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWndjjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Progmanjhh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywndTrayNotifyWndjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: ProgmanU
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: ButtonShell_TrayWndj
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywndReBarWindow32jh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywndReBarWindow32jhD
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywnd
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWndPjjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh<
Source: 9fERLFJPjq.exe, 00000002.00000002.602698012.0000000000DC0000.00000002.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmpBinary or memory string: Program ManagerWv{
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, 9fERLFJPjq.exe, 00000006.00000002.602880501.0000000001010000.00000002.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Progman
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWndjjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Progmanjhh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywndTrayNotifyWndjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: ProgmanU
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: ButtonShell_TrayWndj
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywndReBarWindow32jh
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywndReBarWindow32jhD
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_traywnd
Source: 9fERLFJPjq.exe, 00000002.00000002.605724298.0000000002F24000.00000040.00000001.sdmp, enxavse.exe, 00000008.00000002.501960152.0000000002FB6000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWndPjjh
Source: C:\Users\user\Desktop\9fERLFJPjq.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\9fERLFJPjq.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Exjoares\enxavse.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Generic DropperShow sources
Source: Yara matchFile source: Process Memory Space: 9fERLFJPjq.exe PID: 6088, type: MEMORY

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting211Startup Items1Startup Items1Masquerading1Input Capture111Security Software Discovery3Remote ServicesInput Capture111Exfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder2Process Injection12Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)LSASS Driver1Registry Run Keys / Startup Folder2Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)DLL Side-Loading1LSASS Driver1Scripting211NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptDLL Side-Loading1DLL Side-Loading1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery212VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.