Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:394065
Start time:10:18:19
Joe Sandbox Product:Cloud
Start date:25.10.2017
Overall analysis duration:0h 9m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:i0YxTJ2SO.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:28
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal84.evad.spre.expl.rans.winEXE@35/5@0/4
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 101
  • Number of non-executed functions: 75
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Connection to analysis system has been lost
  • Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold840 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox



Signature Overview

Click to jump to signature section


Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00475507 CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptAcquireContextW,3_2_00475507
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00475BC4 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,memcpy,FlushViewOfFile,LocalFree,CryptDestroyHash,UnmapViewOfFile,3_2_00475BC4
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_004715A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,3_2_004715A7
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00475A73 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,LocalFree,CryptDestroyHash,UnmapViewOfFile,3_2_00475A73
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00475613 CryptStringToBinaryW,CryptStringToBinaryW,LocalAlloc,LocalAlloc,CryptStringToBinaryW,CryptDecodeObjectEx,CryptDecodeObjectEx,LocalAlloc,CryptDecodeObjectEx,CryptImportPublicKeyInfo,LocalFree,LocalFree,3_2_00475613
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00475D0A CryptDuplicateKey,CreateFileW,GetFileSizeEx,__alldiv,CreateFileMappingW,MapViewOfFile,CryptEncrypt,FlushViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CryptDestroyKey,SetEvent,3_2_00475D0A
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0047554A CryptAcquireContextW,GetLastError,CryptGenRandom,CryptReleaseContext,3_2_0047554A
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00476299 CreateEventW,CreateThread,WaitForSingleObject,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,CloseHandle,LocalFree,3_2_00476299
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0047559B CryptSetKeyParam,CryptSetKeyParam,CryptSetKeyParam,CryptGetKeyParam,LocalAlloc,CryptSetKeyParam,LocalFree,3_2_0047559B
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00475780 CryptBinaryToStringW,CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,3_2_00475780
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_004756D8 CryptEncrypt,CryptEncrypt,LocalAlloc,memcpy,CryptEncrypt,LocalFree,3_2_004756D8
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00476085 CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDestroyHash,3_2_00476085
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00476246 CryptCreateHash,CryptHashData,CryptGetHashParam,3_2_00476246

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_004715A7 GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,HeapAlloc,CryptAcquireContextW,GetProcessHeap,HeapAlloc,CryptImportKey,CryptCreateHash,CryptSetHashParam,GetProcessHeap,HeapFree,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,3_2_004715A7
Clears the journal logShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Clears the windows event logShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

Exploits:

barindex
Connects to many different private IPs (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.1.1:445
Source: global trafficTCP traffic: 192.168.1.0:139
Source: global trafficTCP traffic: 192.168.1.2:80
Connects to many different private IPs via SMB (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.1.1:445
Source: global trafficTCP traffic: 192.168.1.0:139
Source: global trafficTCP traffic: 192.168.1.2:445

Networking:

barindex
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00471EB9 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,htons,send,recv,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_00471EB9
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRi82PVYYKWGJWdgVNyePy5kYTdqQQUX5r1blzMzHSa1N197z%2Fb7EyALt0CEA7P9DjI%2Fr81bgTYapgbGlA%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ts-ocsp.ws.symantec.com
Source: global trafficHTTP traffic detected: GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQd11mpyHEqFCSocj4SCu93CBydHAQUr2PWyqNOhXLgp7xB8ymiOH%2BAdWICEFRY8qrXQdZEvISpe6CWUuY%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ts-ocsp.ws.symantec.com
Urls found in memory or binary dataShow sources
Source: rundll32.exeString found in binary or memory: http://192.168.1.2/
Source: rundll32.exeString found in binary or memory: http://192.168.1.2/g
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.drString found in binary or memory: http://crl.thawte.com/thawtetimestampingca.crl0
Source: rundll32.exe, cscc.dat.3.dr, dispci.exe.3.drString found in binary or memory: http://diskcryptor.net/
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.drString found in binary or memory: http://ocsp.thawte.com0
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://rb.symcb.com/rb.crl0w
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://rb.symcb.com/rb.crt0
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://rb.symcd.com0&
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://s.symcd.com0
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://s.symcd.com06
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://sf.symcb.com/sf.crl0w
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://sf.symcd.com0&
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: i0YxTJ2SO.exe, cscc.dat.3.dr, infpub.dat.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: https://d.symcb.com/cps0%
Source: infpub.dat.1.drString found in binary or memory: https://d.symcb.com/rpa0
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: i0YxTJ2SO.exe, infpub.dat.1.drString found in binary or memory: https://d.symcb.com/rpa06

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00479534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_00479534
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\cscc.dat
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\9706.tmp
Source: C:\Users\user\Desktop\i0YxTJ2SO.exeFile created: C:\Windows\infpub.dat
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\cscc.dat
Source: C:\Windows\System32\rundll32.exeFile created: C:\Windows\9706.tmp
Source: C:\Users\user\Desktop\i0YxTJ2SO.exeFile created: C:\Windows\infpub.dat
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\rundll32.exeExecutable created and started: C:\Windows\9706.tmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00479016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,3_2_00479016
PE file contains an invalid checksumShow sources
Source: 9706.tmp.3.drStatic PE information: real checksum: 0x114bd should be: 0x1e635
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\9706.tmpCode function: 10_2_013059E5 push ecx; ret 10_2_013059F8

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00475E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,3_2_00475E9F
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Contains functionality to enumerate network shares of other devicesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00479534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError, \\%s\admin$3_2_00479534
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00479B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError, \\%s\admin$3_2_00479B63

System Summary:

barindex
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: i0YxTJ2SO.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: dcrypt.pdbp source: rundll32.exe, cscc.dat.3.dr
Source: Binary string: wdigest.pdb source: 9706.tmp
Source: Binary string: dcrypt.pdb source: rundll32.exe, cscc.dat.3.dr
Source: Binary string: wdigest.pdbJ6 source: 9706.tmp
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: cscc.dat.3.drBinary string: configFlags\Device\dcrypt\DosDevices\dcryptdump_hiber_%s\$dcsys$$dcsys$\Device\CdRom%s\$DC_TRIM_%x$$dcsys$_fail_%xNTFSFATFAT32exFATH
Binary contains paths to development resourcesShow sources
Source: dispci.exe.3.drBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted%lS OK
Source: i0YxTJ2SO.exe, rundll32.exe, infpub.dat.1.drBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERM
Classification labelShow sources
Source: classification engineClassification label: mal84.evad.spre.expl.rans.winEXE@35/5@0/4
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00477CC5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,SetLastError,3_2_00477CC5
Contains functionality to create servicesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00471368
Source: C:\Windows\System32\rundll32.exeCode function: wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_00479534
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_004784EE CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,3_2_004784EE
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00478313 FindResourceW,LoadResource,LockResource,SizeofResource,GetProcessHeap,GetProcessHeap,HeapAlloc,RtlAllocateHeap,memcpy,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,3_2_00478313
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00479534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_00479534
Found command line outputShow sources
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a.~u..0.....E.R.R.O.R.:. .............................}u..........#...}u.... .....i.,.#.G..v..#...........#.....
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a.~u..0.................=.................................W...#.....................g_v.`.#.....X...j..u..(.....
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a.~u..0.............0...L...........................`.....0...2...2..................................{{.....G..v
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a.~u..0.............0...n...........................`.....1...3.x.3.......$...............$.........3p....$.G..v
Source: C:\Windows\System32\shutdown.exeConsole Write: ..............".....A. .s.y.s.t.e.m. .s.h.u.t.d.o.w.n. .i.s. .i.n. .p.r.o.g.r.e.s.s...(.1.1.1.5.)...P.".P...@.".....6...
PE file has an executable .text section and no other executable sectionShow sources
Source: i0YxTJ2SO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Windows\System32\LogonUI.exeFile read: C:\Windows\win.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\i0YxTJ2SO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\i0YxTJ2SO.exe 'C:\Users\user\Desktop\i0YxTJ2SO.exe'
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: unknownProcess created: C:\Windows\9706.tmp 'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE}
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: unknownProcess created: C:\Windows\System32\shutdown.exe C:\Windows\system32\shutdown.exe /r /t 0 /f
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN drogon
Source: unknownProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe 'LogonUI.exe' /flags:0x0
Source: unknownProcess created: C:\Windows\System32\schtasks.exe unknown
Source: unknownProcess created: C:\Windows\System32\fsutil.exe unknown
Source: C:\Users\user\Desktop\i0YxTJ2SO.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\9706.tmp 'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE}
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN drogon
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\schtasks.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: infpub.dat.1.drStatic PE information: Section: .rsrc ZLIB complexity 0.995711959814
Contains functionality to call native functionsShow sources
Source: C:\Windows\9706.tmpCode function: 10_2_01301D4C GetCurrentProcess,NtQueryInformationProcess,RtlGetCurrentPeb,10_2_01301D4C
Source: C:\Windows\9706.tmpCode function: 10_2_0130184E NtQuerySystemInformation,GetModuleHandleW,GetProcAddress,LocalAlloc,NtQuerySystemInformation,LocalFree,10_2_0130184E
Contains functionality to delete servicesShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00479534 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,GetLastError,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,OpenSCManagerW,memset,GetSystemTimeAsFileTime,wsprintfW,CreateServiceW,StartServiceW,GetLastError,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,DeleteFileW,WNetCancelConnection2W,SetLastError,3_2_00479534
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00479B63 wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFindExtensionW,wsprintfW,WNetAddConnection2W,PathFileExistsW,GetLastError,GetLastError,WNetCancelConnection2W,GetCurrentThread,OpenThreadToken,DuplicateTokenEx,memset,GetSystemDirectoryW,CloseHandle,PathAppendW,PathFileExistsW,wsprintfW,CreateProcessAsUserW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathFileExistsW,GetLastError,GetLastError,DeleteFileW,CloseHandle,CloseHandle,WNetCancelConnection2W,SetLastError,3_2_00479B63
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00478A23 InitiateSystemShutdownExW,ExitWindowsEx,ExitProcess,3_2_00478A23
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\i0YxTJ2SO.exeFile created: C:\Windows\infpub.dat
Creates mutexesShow sources
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\85427E2A3AD6FDE5
Deletes Windows filesShow sources
Source: C:\Windows\System32\rundll32.exeFile deleted: C:\Windows\infpub.dat
Enables security privilegesShow sources
Source: C:\Windows\System32\wevtutil.exeProcess token adjusted: Security
PE file contains strange resourcesShow sources
Source: i0YxTJ2SO.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: i0YxTJ2SO.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
PE file has an invalid certificateShow sources
Source: i0YxTJ2SO.exeStatic PE information: invalid certificate
Reads the hosts fileShow sources
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: i0YxTJ2SO.exeBinary or memory string: OriginalFilenameFlashUtil.exev+ vs i0YxTJ2SO.exe
Source: i0YxTJ2SO.exeBinary or memory string: OriginalFilenameFlashUtil.exev+ vs i0YxTJ2SO.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\i0YxTJ2SO.exeFile read: C:\Users\user\Desktop\i0YxTJ2SO.exe
Contains functionality to create processes via WMIShow sources
Source: i0YxTJ2SO.exeBinary or memory string: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB.3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.\AppData\ProgramData\Program Files\Windows.encrypted*..Readme.txt%s-h-f%dkernel32.dllIsWow64Process\\.\pipe\%ws"%ws" %wsiphlpapi.dllGetExtendedTcpTable%u.%u.%u.%uTERM
Uses shutdown.exe to shutdown or reboot the systemShow sources
Source: unknownProcess created: C:\Windows\System32\shutdown.exe C:\Windows\system32\shutdown.exe /r /t 0 /f

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00476FFE GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,3_2_00476FFE
Contains functionality to create a new security descriptorShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0047841D GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateToken,AllocateAndInitializeSid,CheckTokenMembership,TerminateProcess,FreeSid,CloseHandle,CloseHandle,CloseHandle,3_2_0047841D
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\i0YxTJ2SO.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\9706.tmp 'C:\Windows\9706.tmp' \\.\pipe\{EE91B260-F47B-4E8B-B208-21BD25A3C0CE}
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe /c schtasks /Delete /F /TN drogon
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:\Windows\system32\cmd.exe /C Start \'\' \'C:\Windows\dispci.exe\' -id 3818518496 && exit'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:\Windows\system32\shutdown.exe /r /t 0 /f' /ST 10:36:00
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Setup
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl System
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Security
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil cl Application
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe unknown

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\i0YxTJ2SO.exeCode function: 1_2_003E1499 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_003E1499
Source: C:\Windows\9706.tmpCode function: 10_2_01304D59 SetUnhandledExceptionFilter,10_2_01304D59
Source: C:\Windows\9706.tmpCode function: 10_2_01304B37 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_01304B37
Source: C:\Windows\9706.tmpCode function: 10_2_0130601E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0130601E
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\rundll32.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Windows\9706.tmpCode function: 10_2_01304B37 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_01304B37
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00479016 VirtualProtect,LoadLibraryA,GetProcAddress,VirtualProtect,3_2_00479016
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\i0YxTJ2SO.exeCode function: 1_2_003E1690 GetProcessHeap,1_2_003E1690
Enables debug privilegesShow sources
Source: C:\Windows\System32\rundll32.exeProcess token adjusted: Debug
Source: C:\Windows\9706.tmpProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00475E9F PathCombineW,FindFirstFileW,WaitForMultipleObjects,PathCombineW,StrStrIW,PathFindExtensionW,FindNextFileW,FindClose,3_2_00475E9F
Contains functionality to query system informationShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00475BC4 GetSystemInfo,__alldiv,MapViewOfFile,CryptDuplicateHash,CryptHashData,LocalAlloc,CryptGetHashParam,memcpy,FlushViewOfFile,LocalFree,CryptDestroyHash,UnmapViewOfFile,3_2_00475BC4
Program exit pointsShow sources
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-4855
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-4748
Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_3-4766
Queries a list of all running processesShow sources
Source: C:\Windows\System32\rundll32.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 2000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 500
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 1000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 300000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 900000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 180000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 3000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 10000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 180000
Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 500
Found decision node followed by non-executed suspicious APIsShow sources
Source: C:\Windows\System32\rundll32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-5612
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\dispci.exe
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\cscc.dat
Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Windows\9706.tmp
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\rundll32.exe TID: 3468Thread sleep time: -2000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3540Thread sleep time: -5000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3548Thread sleep time: -1000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3628Thread sleep time: -300000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3468Thread sleep time: -900000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3544Thread sleep time: -540000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3468Thread sleep time: -3000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3624Thread sleep time: -10000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3544Thread sleep time: -180000s >= -60s
Source: C:\Windows\System32\rundll32.exe TID: 3540Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\LogonUI.exe TID: 3960Thread sleep time: -60000s >= -60s
Found evasive API chain (may stop execution after checking computer name)Show sources
Source: C:\Windows\System32\rundll32.exeEvasive API call chain: GetComputerName,DecisionNodes,ExitProcessgraph_3-4844
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\System32\rundll32.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_3-4847

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Windows\9706.tmpCode function: 10_2_013025AC GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_013025AC

Language, Device and Operating System Detection:

barindex
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00476FFE GetProcessHeap,GetProcessHeap,HeapAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,ConnectNamedPipe,PeekNamedPipe,Sleep,GetProcessHeap,HeapAlloc,ReadFile,StrChrW,GetProcessHeap,HeapFree,FlushFileBuffers,DisconnectNamedPipe,CloseHandle,3_2_00476FFE
Contains functionality to query local / system timeShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00478192 GetLocalTime,GetSystemDirectoryW,PathAppendW,wsprintfW,3_2_00478192
Contains functionality to query time zone informationShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_004757E5 LocalAlloc,GetSystemDefaultLCID,GetTimeZoneInformation,memcpy,NetWkstaGetInfo,memcpy,memcpy,NetApiBufferFree,LocalAlloc,memcpy,LocalFree,LocalFree,3_2_004757E5
Contains functionality to query windows versionShow sources
Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00471531 GetVersion,3_2_00471531
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 394065 Sample:  i0YxTJ2SO.exe Startdate:  25/10/2017 Architecture:  WINDOWS Score:  84 1 i0YxTJ2SO.exe 1 main->1      started     18 shutdown.exe main->18      started     25 LogonUI.exe main->25      started     9823reducedSig Signatures exceeded maximum capacity for this level. 5 signatures have been hidden. 9823sig Clears the journal log 9813sig Clears the windows event log 9883sig Connects to many different private IPs (likely to spread or exploit) d1e296092reduced Connected ips exeeded maximum capacity for this level. 1 connected ip has been hidden. d1e296092 192.168.1.1, unknown unknown d1e296093 192.168.1.0, unknown unknown d1e296094 192.168.1.2, 80 unknown unknown d1e14132 cscc.dat, PE32 d1e14159 dispci.exe, PE32 d1e14186 9706.tmp, PE32 3 rundll32.exe 1 3 1->3      started     3->9823reducedSig 3->9823sig 3->9813sig 3->9883sig 3->d1e296092reduced 3->d1e296092 3->d1e296093 3->d1e296094 3->d1e14132 dropped 3->d1e14159 dropped 3->d1e14186 dropped 4reduced Processes exeeded maximum capacity for this level. 1 process has been hidden. 3->4reduced      started     4 cmd.exe 3->4      started     7 cmd.exe 3->7      started     8 cmd.exe 3->8      started     15 cmd.exe 3->15      started     22 cmd.exe 3->22      started     6 schtasks.exe 4->6      started     11 schtasks.exe 7->11      started     14 schtasks.exe 8->14      started     17 wevtutil.exe 15->17      started     26 schtasks.exe 22->26      started     process1 process3 dnsIp3 fileCreated3 signatures3 process4 process6 fileCreated1

Simulations

Behavior and APIs

TimeTypeDescription
10:18:44API Interceptor1x Sleep call for process: rundll32.exe modified from: 900000ms to: 500ms
10:18:44API Interceptor1x Sleep call for process: rundll32.exe modified from: 300000ms to: 500ms
10:18:46Task SchedulerRun new task: drogon path: C:\Windows\system32\shutdown.exe s>/r /t 0 /f
10:36:00API Interceptor4x Sleep call for process: rundll32.exe modified from: 180000ms to: 500ms
10:36:03API Interceptor1x Sleep call for process: LogonUI.exe modified from: 60000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot