Loading ...

Play interactive tourEdit tour

Analysis Report rYkaVx1Tiz.exe

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:60291
Start date:12.09.2018
Start time:10:20:01
Joe Sandbox Product:Cloud
Overall analysis duration:0h 9m 11s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:rYkaVx1Tiz.exe
Cookbook file name:default.jbs
Analysis system description:W10 Native physical Machine for testing VM-aware malware (Office 2010, Java 1.8.0_91, Flash 22.0.0.192, Acrobat Reader DC 15.016.20039, Internet Explorer 11, Chrome 55, Firefox 50)
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.evad.winEXE@25/34@12/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 6
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Execution Graph export aborted for target iexplore.exe, PID 2848 because there are no executed function
  • Execution Graph export aborted for target iexplore.exe, PID 3464 because there are no executed function
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: rYkaVx1Tiz.exe, WindowsImplantment.exe

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: rYkaVx1Tiz.exeAvira: Label: TR/Dropper.MSIL.Gen2
Multi AV Scanner detection for submitted fileShow sources
Source: rYkaVx1Tiz.exevirustotal: Detection: 70%Perma Link
Source: rYkaVx1Tiz.exemetadefender: Detection: 51%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 0.1.rYkaVx1Tiz.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 10.1.WindowsImplantment.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 10.2.WindowsImplantment.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 10.0.WindowsImplantment.exe.1c0000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 10.0.WindowsImplantment.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 0.0.rYkaVx1Tiz.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 0.2.rYkaVx1Tiz.exe.1c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen2
Source: 10.0.WindowsImplantment.exe.1c0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen2

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_USERS\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: www.windowspatch.com replaycode: Server failure (2)
Found strings which match to known social media urlsShow sources
Source: msapplication.xml1.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7b32f7e9,0x01d44abd</date><accdate>0x7b32f7e9,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7b32f7e9,0x01d44abd</date><accdate>0x7b37bd56,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7b6e9a20,0x01d44abd</date><accdate>0x7b6e9a20,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7b6e9a20,0x01d44abd</date><accdate>0x7b735e6b,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7b8407e5,0x01d44abd</date><accdate>0x7b8407e5,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7b8407e5,0x01d44abd</date><accdate>0x7b866b06,0x01d44abd</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.windowspatch.com
Urls found in memory or binary dataShow sources
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msapplication.xml.7.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.7.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml3.7.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml4.7.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.7.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.7.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.7.drString found in binary or memory: http://www.wikipedia.com/
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmpString found in binary or memory: http://www.windowspatch.com
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmpString found in binary or memory: http://www.windowspatch.com/
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmp, ~DF56506D0F3B9A9AFA.TMP.7.drString found in binary or memory: http://www.windowspatch.com/khc?77313033325C626F726174
Source: {ABF4A47C-B6B0-11E8-8397-0024E89CECB7}.dat.14.drString found in binary or memory: http://www.windowspatch.com/khc?77313033325C626F726174Root
Source: {ABF4A47C-B6B0-11E8-8397-0024E89CECB7}.dat.14.drString found in binary or memory: http://www.windowspatch.com/khc?77313033325C626F726174h.com/khc?77313033325C626F726174
Source: msapplication.xml8.7.drString found in binary or memory: http://www.youtube.com/

System Summary:

barindex
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeDropped file: CreateObject("WScript.Shell").Run("C:\ProgramData\Windows\WindowsImplantment.exe")Jump to dropped file
Starts Internet Explorer in hidden modeShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeWindow hidden: window name: IEFrameJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeWindow hidden: window name: IEFrameJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: rYkaVx1Tiz.exe, 00000000.00000002.25128114963.04820000.00000002.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs rYkaVx1Tiz.exe
Source: rYkaVx1Tiz.exe, 00000000.00000002.25124602420.001F0000.00000002.sdmpBinary or memory string: OriginalFilenameWindows Implantment Module.exej% vs rYkaVx1Tiz.exe
Source: rYkaVx1Tiz.exe, 00000000.00000002.25128328914.04890000.00000002.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs rYkaVx1Tiz.exe
Source: rYkaVx1Tiz.exeBinary or memory string: OriginalFilenameWindows Implantment Module.exej% vs rYkaVx1Tiz.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeSection loaded: sbiedll.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeSection loaded: sbiedll.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.evad.winEXE@25/34@12/0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rYkaVx1Tiz.exe.logJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF264248DDDB5CB074.TMPJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f
PE file has an executable .text section and no other executable sectionShow sources
Source: rYkaVx1Tiz.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\35849a60913000fe067eb742f5cabec9\mscorlib.ni.dllJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\35849a60913000fe067eb742f5cabec9\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: rYkaVx1Tiz.exevirustotal: Detection: 70%
Source: rYkaVx1Tiz.exemetadefender: Detection: 51%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\rYkaVx1Tiz.exe 'C:\Users\user\Desktop\rYkaVx1Tiz.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'cmd.exe' /c whoami
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\whoami.exe whoami
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\schtasks.exe SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1712 CREDAT:82945 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE C:\ProgramData\Windows\ShwDoc.vbs
Source: unknownProcess created: C:\ProgramData\Windows\WindowsImplantment.exe 'C:\ProgramData\Windows\WindowsImplantment.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'cmd.exe' /c whoami
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\whoami.exe whoami
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3544 CREDAT:75009 /prefetch:2
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess created: C:\Windows\System32\cmd.exe 'cmd.exe' /c whoamiJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /fJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoamiJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /fJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1712 CREDAT:82945 /prefetch:2Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\ProgramData\Windows\WindowsImplantment.exe 'C:\ProgramData\Windows\WindowsImplantment.exe' Jump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess created: C:\Windows\System32\cmd.exe 'cmd.exe' /c whoamiJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoamiJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3544 CREDAT:75009 /prefetch:2Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeAutomated click: OK
Source: C:\ProgramData\Windows\WindowsImplantment.exeAutomated click: OK
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile opened: C:\Program Files\Java\jre1.8.0_91\bin\msvcr100.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: rYkaVx1Tiz.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Persistence and Installation Behavior:

barindex
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exePE file moved: C:\ProgramData\Windows\WindowsImplantment.exeJump to behavior

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe SchTasks /Create /SC MINUTE /MO 3 /TN 'b02b15c6-e056-40aa-adeb-360635a4a3df' /TR 'wscript C:\ProgramData\Windows\ShwDoc.vbs' /f
Uses whoami command line tool to query computer and usernameShow sources
Source: unknownProcess created: C:\Windows\System32\whoami.exe whoami
Source: unknownProcess created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoamiJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\whoami.exe whoamiJump to behavior
Creates or modifies windows servicesShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ASP.NET_4.0.30319\NamesJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Fan
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Fan
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_PointingDevice
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_PointingDevice
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BaseBoard
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_BaseBoard
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_DiskDrive
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_DiskDrive
Queries thermal zone temperature information (via WMI, MSAcpi_ThermalZoneTemperature, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSAcpi_ThermalZoneTemperature
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSAcpi_ThermalZoneTemperature
Source: C:\ProgramData\Windows\WindowsImplantment.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSAcpi_ThermalZoneTemperature
Tries to detect sandboxes and other dynamic analysis tools (process name or module)Show sources
Source: rYkaVx1Tiz.exeBinary or memory string: SBIEDLL.DLL
Enumerates the file systemShow sources
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: rYkaVx1Tiz.exeBinary or memory string: vmGuestLib.dll
Source: rYkaVx1Tiz.exe, 00000000.00000002.25128328914.04890000.00000002.sdmpBinary or memory string: A virtual machine could not be started because Hyper-V is not installed.
Source: rYkaVx1Tiz.exeBinary or memory string: vboxmrxnp.dll
Source: rYkaVx1Tiz.exeBinary or memory string: vmbusres.dll

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\System32\wscript.exeFile opened: C:\Windows\WinSxS\FileMaps\programdata_windows_ef1ff04e6eb475e1.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformationJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\System32\whoami.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeMemory allocated: page read and write | page guardJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeQueries volume information: C:\Users\user\Desktop\rYkaVx1Tiz.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Client-Package~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Client-Package~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Client-Package~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeQueries volume information: C:\ProgramData\Windows\WindowsImplantment.exe VolumeInformationJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\ProgramData\Windows\WindowsImplantment.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 60291 Sample: rYkaVx1Tiz.exe Startdate: 12/09/2018 Architecture: WINDOWS Score: 100 53 Antivirus detection for submitted file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module) 2->57 59 3 other signatures 2->59 8 rYkaVx1Tiz.exe 1 4 2->8         started        12 wscript.exe 6 2->12         started        14 iexplore.exe 1 50 2->14         started        16 iexplore.exe 6 82 2->16         started        process3 file4 45 C:\Users\user\AppData\...\rYkaVx1Tiz.exe.log, ASCII 8->45 dropped 47 C:\ProgramData\Windows\ShwDoc.vbs, ASCII 8->47 dropped 73 Potential malicious VBS script found (suspicious strings) 8->73 75 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->77 81 4 other signatures 8->81 18 cmd.exe 1 8->18         started        21 cmd.exe 1 8->21         started        23 WindowsImplantment.exe 1 12->23         started        79 Starts Internet Explorer in hidden mode 14->79 25 iexplore.exe 32 14->25         started        28 iexplore.exe 33 16->28         started        signatures5 process6 dnsIp7 61 Uses whoami command line tool to query computer and username 18->61 30 conhost.exe 18->30         started        32 whoami.exe 1 18->32         started        34 conhost.exe 21->34         started        36 schtasks.exe 1 21->36         started        63 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 23->65 67 Queries thermal zone temperature information (via WMI, MSAcpi_ThermalZoneTemperature, often done to detect virtual machines) 23->67 69 3 other signatures 23->69 38 cmd.exe 1 23->38         started        49 www.windowspatch.com 25->49 51 www.windowspatch.com 28->51 signatures8 process9 signatures10 71 Uses whoami command line tool to query computer and username 38->71 41 conhost.exe 38->41         started        43 whoami.exe 1 38->43         started        process11

Simulations

Behavior and APIs

TimeTypeDescription
10:21:59Task SchedulerRun new task: b02b15c6-e056-40aa-adeb-360635a4a3df path: wscript s>C:\ProgramData\Windows\ShwDoc.vbs
20:24:00API Interceptor21x Sleep call for process: rYkaVx1Tiz.exe modified
20:24:26API Interceptor1x Sleep call for process: WindowsImplantment.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
rYkaVx1Tiz.exe70%virustotalBrowse
rYkaVx1Tiz.exe51%metadefenderBrowse
rYkaVx1Tiz.exe100%AviraTR/Dropper.MSIL.Gen2

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLink
0.1.rYkaVx1Tiz.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
10.1.WindowsImplantment.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
10.2.WindowsImplantment.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
10.0.WindowsImplantment.exe.1c0000.2.unpack100%AviraTR/Dropper.MSIL.Gen2
10.0.WindowsImplantment.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
0.0.rYkaVx1Tiz.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
0.2.rYkaVx1Tiz.exe.1c0000.0.unpack100%AviraTR/Dropper.MSIL.Gen2
10.0.WindowsImplantment.exe.1c0000.1.unpack100%AviraTR/Dropper.MSIL.Gen2

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.windowspatch.com/6%virustotalBrowse
http://www.windowspatch.com6%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots