Analysis Report rYkaVx1Tiz.exe
Overview
General Information |
---|
Joe Sandbox Version: | 23.0.0 |
Analysis ID: | 60291 |
Start date: | 12.09.2018 |
Start time: | 10:20:01 |
Joe Sandbox Product: | Cloud |
Overall analysis duration: | 0h 9m 11s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | rYkaVx1Tiz.exe |
Cookbook file name: | default.jbs |
Analysis system description: | W10 Native physical Machine for testing VM-aware malware (Office 2010, Java 1.8.0_91, Flash 22.0.0.192, Acrobat Reader DC 15.016.20039, Internet Explorer 11, Chrome 55, Firefox 50) |
Number of analysed new started processes analysed: | 16 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.bank.evad.winEXE@25/34@12/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 100 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus detection for submitted file | Show sources |
Source: rYkaVx1Tiz.exe | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: rYkaVx1Tiz.exe | virustotal: | Perma Link | ||
Source: rYkaVx1Tiz.exe | metadefender: | Perma Link |
Antivirus detection for unpacked file | Show sources |
Source: 0.1.rYkaVx1Tiz.exe.1c0000.0.unpack | Avira: | ||
Source: 10.1.WindowsImplantment.exe.1c0000.0.unpack | Avira: | ||
Source: 10.2.WindowsImplantment.exe.1c0000.0.unpack | Avira: | ||
Source: 10.0.WindowsImplantment.exe.1c0000.2.unpack | Avira: | ||
Source: 10.0.WindowsImplantment.exe.1c0000.0.unpack | Avira: | ||
Source: 0.0.rYkaVx1Tiz.exe.1c0000.0.unpack | Avira: | ||
Source: 0.2.rYkaVx1Tiz.exe.1c0000.0.unpack | Avira: | ||
Source: 10.0.WindowsImplantment.exe.1c0000.1.unpack | Avira: |
Spreading: |
---|
Creates COM task schedule object (often to register a task for autostart) | Show sources |
Source: C:\Windows\System32\schtasks.exe | Key opened: | Jump to behavior | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | Jump to behavior | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | Jump to behavior | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | Jump to behavior | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | Jump to behavior | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | Jump to behavior | ||
Source: C:\Windows\System32\schtasks.exe | Key opened: | Jump to behavior |
Enumerates the file system | Show sources |
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior |
Networking: |
---|
Creates a COM Internet Explorer object | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Key opened: | Jump to behavior |
Tries to resolve domain names, but no domain seems valid (expired dropper behavior) | Show sources |
Source: unknown | DNS traffic detected: |
Found strings which match to known social media urls | Show sources |
Source: msapplication.xml1.7.dr | String found in binary or memory: | ||
Source: msapplication.xml1.7.dr | String found in binary or memory: | ||
Source: msapplication.xml6.7.dr | String found in binary or memory: | ||
Source: msapplication.xml6.7.dr | String found in binary or memory: | ||
Source: msapplication.xml8.7.dr | String found in binary or memory: | ||
Source: msapplication.xml8.7.dr | String found in binary or memory: |
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Urls found in memory or binary data | Show sources |
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmp | String found in binary or memory: | ||
Source: msapplication.xml.7.dr | String found in binary or memory: | ||
Source: msapplication.xml2.7.dr | String found in binary or memory: | ||
Source: msapplication.xml3.7.dr | String found in binary or memory: | ||
Source: msapplication.xml4.7.dr | String found in binary or memory: | ||
Source: msapplication.xml5.7.dr | String found in binary or memory: | ||
Source: msapplication.xml6.7.dr | String found in binary or memory: | ||
Source: msapplication.xml7.7.dr | String found in binary or memory: | ||
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmp | String found in binary or memory: | ||
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmp | String found in binary or memory: | ||
Source: rYkaVx1Tiz.exe, 00000000.00000002.25126087232.018D0000.00000004.sdmp, ~DF56506D0F3B9A9AFA.TMP.7.dr | String found in binary or memory: | ||
Source: {ABF4A47C-B6B0-11E8-8397-0024E89CECB7}.dat.14.dr | String found in binary or memory: | ||
Source: {ABF4A47C-B6B0-11E8-8397-0024E89CECB7}.dat.14.dr | String found in binary or memory: | ||
Source: msapplication.xml8.7.dr | String found in binary or memory: |
System Summary: |
---|
Potential malicious VBS script found (suspicious strings) | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Dropped file: | Jump to dropped file |
Starts Internet Explorer in hidden mode | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Window hidden: | Jump to behavior | ||
Source: C:\Program Files\Internet Explorer\iexplore.exe | Window hidden: | Jump to behavior |
Sample file is different than original file name gathered from version info | Show sources |
Source: rYkaVx1Tiz.exe, 00000000.00000002.25128114963.04820000.00000002.sdmp | Binary or memory string: | ||
Source: rYkaVx1Tiz.exe, 00000000.00000002.25124602420.001F0000.00000002.sdmp | Binary or memory string: | ||
Source: rYkaVx1Tiz.exe, 00000000.00000002.25128328914.04890000.00000002.sdmp | Binary or memory string: | ||
Source: rYkaVx1Tiz.exe | Binary or memory string: |
Tries to load missing DLLs | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Section loaded: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Section loaded: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Section loaded: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Section loaded: | Jump to behavior |
Classification label | Show sources |
Source: classification engine | Classification label: |
Creates files inside the user directory | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | File created: | Jump to behavior |
Creates temporary files | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | File created: | Jump to behavior |
Executes visual basic scripts | Show sources |
Source: unknown | Process created: |
PE file has an executable .text section and no other executable section | Show sources |
Source: rYkaVx1Tiz.exe | Static PE information: |
Parts of this applications are using the .NET runtime (Probably coded in C#) | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Section loaded: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Section loaded: | Jump to behavior |
Reads ini files | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | File read: | Jump to behavior |
Reads software policies | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key opened: | Jump to behavior |
Sample is known by Antivirus | Show sources |
Source: rYkaVx1Tiz.exe | virustotal: | ||
Source: rYkaVx1Tiz.exe | metadefender: |
Spawns processes | Show sources |
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process created: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process created: | Jump to behavior | ||
Source: C:\Windows\System32\cmd.exe | Process created: | Jump to behavior | ||
Source: C:\Windows\System32\cmd.exe | Process created: | Jump to behavior | ||
Source: C:\Program Files\Internet Explorer\iexplore.exe | Process created: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process created: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process created: | Jump to behavior | ||
Source: C:\Windows\System32\cmd.exe | Process created: | Jump to behavior | ||
Source: C:\Program Files\Internet Explorer\iexplore.exe | Process created: | Jump to behavior |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key value queried: | Jump to behavior |
Found GUI installer (many successful clicks) | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Automated click: | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Automated click: |
Found graphical window changes (likely an installer) | Show sources |
Source: Window Recorder | Window detected: |
Uses Microsoft Silverlight | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | File opened: | Jump to behavior |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | File opened: | Jump to behavior |
Contains modern PE file flags such as dynamic base (ASLR) or NX | Show sources |
Source: rYkaVx1Tiz.exe | Static PE information: |
Persistence and Installation Behavior: |
---|
Drops PE files to the application program directory (C:\ProgramData) | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | PE file moved: | Jump to behavior |
Boot Survival: |
---|
Uses schtasks.exe or at.exe to add and modify task schedules | Show sources |
Source: unknown | Process created: |
Uses whoami command line tool to query computer and username | Show sources |
Source: unknown | Process created: | |||
Source: unknown | Process created: | |||
Source: C:\Windows\System32\cmd.exe | Process created: | Jump to behavior | ||
Source: C:\Windows\System32\cmd.exe | Process created: | Jump to behavior |
Creates or modifies windows services | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Registry key created: | Jump to behavior |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Queries BIOS fan information (via WMI, Win32_Fan, often done to detect virtual machines) | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | WMI Queries: | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | WMI Queries: |
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines) | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | WMI Queries: | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | WMI Queries: |
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | WMI Queries: | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | WMI Queries: |
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | WMI Queries: | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | WMI Queries: |
Queries thermal zone temperature information (via WMI, MSAcpi_ThermalZoneTemperature, often done to detect virtual machines) | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | WMI Queries: | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | WMI Queries: | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | WMI Queries: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module) | Show sources |
Source: rYkaVx1Tiz.exe | Binary or memory string: |
Enumerates the file system | Show sources |
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | File opened: | Jump to behavior |
Found WSH timer for Javascript or VBS script (likely evasive script) | Show sources |
Source: C:\Windows\System32\wscript.exe | Window found: | Jump to behavior |
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources |
Source: rYkaVx1Tiz.exe | Binary or memory string: | ||
Source: rYkaVx1Tiz.exe, 00000000.00000002.25128328914.04890000.00000002.sdmp | Binary or memory string: | ||
Source: rYkaVx1Tiz.exe | Binary or memory string: | ||
Source: rYkaVx1Tiz.exe | Binary or memory string: |
Anti Debugging: |
---|
Checks for debuggers (devices) | Show sources |
Source: C:\Windows\System32\wscript.exe | File opened: |
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Windows\System32\wscript.exe | System information queried: | Jump to behavior |
Enables debug privileges | Show sources |
Source: C:\Windows\System32\whoami.exe | Process token adjusted: | Jump to behavior |
Creates guard pages, often used to prevent reverse engineering and debugging | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Memory allocated: | Jump to behavior |
Language, Device and Operating System Detection: |
---|
Queries the volume information (name, serial number etc) of a device | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Queries volume information: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Queries volume information: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Queries volume information: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Queries volume information: | Jump to behavior | ||
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Queries volume information: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Queries volume information: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Queries volume information: | Jump to behavior | ||
Source: C:\Windows\System32\wscript.exe | Queries volume information: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Queries volume information: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Queries volume information: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Queries volume information: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Queries volume information: | Jump to behavior | ||
Source: C:\ProgramData\Windows\WindowsImplantment.exe | Queries volume information: | Jump to behavior |
Queries the cryptographic machine GUID | Show sources |
Source: C:\Users\user\Desktop\rYkaVx1Tiz.exe | Key value queried: | Jump to behavior |
Behavior Graph |
---|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
10:21:59 | Task Scheduler | Run new task: b02b15c6-e056-40aa-adeb-360635a4a3df path: wscript s>C:\ProgramData\Windows\ShwDoc.vbs |
20:24:00 | API Interceptor | 21x Sleep call for process: rYkaVx1Tiz.exe modified |
20:24:26 | API Interceptor | 1x Sleep call for process: WindowsImplantment.exe modified |
Antivirus Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
70% | virustotal | Browse | ||
51% | metadefender | Browse | ||
100% | Avira | TR/Dropper.MSIL.Gen2 |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/Dropper.MSIL.Gen2 | ||
100% | Avira | TR/Dropper.MSIL.Gen2 | ||
100% | Avira | TR/Dropper.MSIL.Gen2 | ||
100% | Avira | TR/Dropper.MSIL.Gen2 | ||
100% | Avira | TR/Dropper.MSIL.Gen2 | ||
100% | Avira | TR/Dropper.MSIL.Gen2 | ||
100% | Avira | TR/Dropper.MSIL.Gen2 | ||
100% | Avira | TR/Dropper.MSIL.Gen2 |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Joe Sandbox View / Context |
---|
Screenshots |
---|