Windows Analysis Report
Hu25VEa8Dr.exe

Overview

General Information

Sample Name: Hu25VEa8Dr.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name: 9535a9bb1ae8f620d7cbd7d9f5c20336b0fd2c78d1a7d892d76e4652dd8b2be7
Analysis ID: 1317431
MD5: bc76bd7b332aa8f6aedbb8e11b7ba9b6
SHA1: c6858031315a50ec87e37966291ec69b64600efb
SHA256: 9535a9bb1ae8f620d7cbd7d9f5c20336b0fd2c78d1a7d892d76e4652dd8b2be7
Infos:

Detection

Gamarue
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Tries to download HTTP data from a sinkholed server
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Yara detected Gamarue
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Contain functionality to detect virtual machines
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Contains functionality to check if Internet connection is working
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to get notified if a device is plugged in / out
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Uses Microsoft's Enhanced Cryptographic Provider
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Hu25VEa8Dr.exe ReversingLabs: Detection: 95%
Source: Hu25VEa8Dr.exe Virustotal: Detection: 81% Perma Link
Antivirus / Scanner detection for submitted sample
Source: Hu25VEa8Dr.exe Avira: detected
Antivirus detection for URL or domain
Source: http://orzdwjtvmein.in/in.php Avira URL Cloud: Label: malware
Source: http://bdcrqgonzmwuehky.nl/in.php Avira URL Cloud: Label: malware
Source: http://somicrososoft.ru/in.php Avira URL Cloud: Label: malware
Source: http://xdqzpbcgrvkj.ru/in.php Avira URL Cloud: Label: malware
Source: http://anam0rph.su/in.php Avira URL Cloud: Label: malware
Source: http://xdqzpbcgrvkj.ru/in.phphttp://anam0rph.su/in.phphttp://orzdwjtvmein.in/in.phphttp://ygiudewsqh Avira URL Cloud: Label: malware
Source: http://ygiudewsqhct.in/in.php Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: xdqzpbcgrvkj.ru Virustotal: Detection: 18% Perma Link
Source: http://orzdwjtvmein.in/in.php Virustotal: Detection: 11% Perma Link
Source: http://pe.suckmycocklameavindustry.in/ Virustotal: Detection: 6% Perma Link
Source: anam0rph.su Virustotal: Detection: 11% Perma Link
Source: http://bdcrqgonzmwuehky.nl/in.php Virustotal: Detection: 11% Perma Link
Source: http://somicrososoft.ru/in.php Virustotal: Detection: 14% Perma Link
Source: pe.suckmycocklameavindustry.in Virustotal: Detection: 6% Perma Link
Source: http://anam0rph.su/in.php Virustotal: Detection: 13% Perma Link
Source: http://xdqzpbcgrvkj.ru/in.phphttp://anam0rph.su/in.phphttp://orzdwjtvmein.in/in.phphttp://ygiudewsqh Virustotal: Detection: 14% Perma Link
Source: http://ygiudewsqhct.in/in.php Virustotal: Detection: 13% Perma Link
Source: http://xdqzpbcgrvkj.ru/in.php Virustotal: Detection: 16% Perma Link
Source: http://sc.suckmycocklameavindustry.in/ Virustotal: Detection: 6% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll Avira: detection malicious, Label: HEUR/AGEN.1358866
Source: C:\Users\user\AppData\Local\Temp\0BBFF.tmp Avira: detection malicious, Label: TR/AD.Gamarue.njjtd
Source: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll Avira: detection malicious, Label: TR/Symmi.17001.30
Source: C:\Users\user\AppData\Local\Temp\naseropuxeq.dll Avira: detection malicious, Label: TR/Graftor.75972.7
Source: C:\Users\user\AppData\Local\Temp\yiduyevutog.dll Avira: detection malicious, Label: TR/Symmi.17001.22
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Avira: detection malicious, Label: TR/Agent.hwpf
Source: C:\Users\user\AppData\Local\Temp\natigezeholi.dll Avira: detection malicious, Label: HEUR/AGEN.1328724
Source: C:\ProgramData\Local Settings\Temp\msoiruj.bat Avira: detection malicious, Label: TR/AD.Gamarue.djauj
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Avira: detection malicious, Label: HEUR/AGEN.1344339
Source: C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll Avira: detection malicious, Label: TR/Symmi.17001.23
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Avira: detection malicious, Label: TR/AD.Gamarue.djauj
Source: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll Avira: detection malicious, Label: HEUR/AGEN.1322941
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Local Settings\Temp\msoiruj.bat ReversingLabs: Detection: 86%
Source: C:\ProgramData\Local Settings\Temp\msoiruj.bat Virustotal: Detection: 84% Perma Link
Source: C:\Users\user\AppData\Local\Temp\0BBFF.tmp ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\0BBFF.tmp Virustotal: Detection: 81% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Firozedikami.dll ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\Firozedikami.dll Virustotal: Detection: 59% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll Virustotal: Detection: 75% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll Virustotal: Detection: 65% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Virustotal: Detection: 77% Perma Link
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Virustotal: Detection: 84% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Virustotal: Detection: 60% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll Virustotal: Detection: 74% Perma Link
Source: C:\Users\user\AppData\Local\Temp\naseropuxeq.dll ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Temp\naseropuxeq.dll Virustotal: Detection: 71% Perma Link
Source: C:\Users\user\AppData\Local\Temp\natigezeholi.dll ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\natigezeholi.dll Virustotal: Detection: 75% Perma Link
Source: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll Virustotal: Detection: 67% Perma Link
Source: C:\Users\user\AppData\Local\Temp\yiduyevutog.dll ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\yiduyevutog.dll Virustotal: Detection: 72% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\Local Settings\Temp\msoiruj.bat Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 3_2_00402493 PathCombineA,CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt, 3_2_00402493
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 7_2_00402493 PathCombineA,CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt, 7_2_00402493

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Unpacked PE file: 3.2.Hu25VEa8Dr.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Unpacked PE file: 4.2.Hu25VEa8Dr.exe.400000.1.unpack
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Unpacked PE file: 7.2.msiexec.exe.400000.0.unpack
Uses 32bit PE files
Source: Hu25VEa8Dr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: T:\ldr\CUSTOM\local\Worm65.DLL.PnP\Release\Worm65.DLL.pdb source: svchost.exe, svchost.exe, 00000009.00000003.373478974.0000000000130000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: T:\ldr\CUSTOM\local\local\Release\ADropper.pdb source: Hu25VEa8Dr.exe, Hu25VEa8Dr.exe, 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: svchost.exe, 00000009.00000002.381614429.0000000000CD0000.00000040.80000000.00040000.00000000.sdmp
Contains functionality to get notified if a device is plugged in / out
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E29C0 _memset,UnregisterDeviceNotification,CloseHandle,UnregisterDeviceNotification,CloseHandle,wsprintfW,wsprintfW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,wsprintfW,CreateFileW,RegisterDeviceNotificationW,Sleep,DefWindowProcW,UnregisterDeviceNotification,CloseHandle,PostQuitMessage, 9_2_001E29C0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_00405D07 FindFirstFileA,FindClose, 0_2_00405D07
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405331
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 5_2_00405D07 FindFirstFileA,FindClose, 5_2_00405D07
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 5_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 5_2_00405331
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 5_2_0040263E FindFirstFileA, 5_2_0040263E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E1E80 GetFileAttributesW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,MoveFileExW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose, 9_2_001E1E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E1700 GetDriveTypeW,wsprintfW,wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,lstrcmpiW,lstrcmpiW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,lstrcmpiW,lstrcmpiW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,wsprintfW,SetFileAttributesW,FindNextFileW,FindClose, 9_2_001E1700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E1B70 wsprintfW,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,FindClose,FindClose, 9_2_001E1B70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E10D0 RegisterClassW,LdrInitializeThunk,_memset,GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,SetErrorMode,CreateWindowExW,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateMessage,DispatchMessageW,GetMessageW, 9_2_001E10D0

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 147.75.61.38 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: pe.suckmycocklameavindustry.in
Source: C:\Windows\SysWOW64\svchost.exe Domain query: xdqzpbcgrvkj.ru
Source: C:\Windows\SysWOW64\svchost.exe Domain query: anam0rph.su
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 34.29.71.138 80 Jump to behavior
Tries to download HTTP data from a sinkholed server
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 01 Oct 2023 04:01:37 GMTContent-Length: 607Content-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 147.75.61.38:80 -> 192.168.2.22:49166
Contains functionality to check if Internet connection is working
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00021474 socket,connect,getsockname,shutdown,closesocket, www.update.microsoft.com 9_2_00021474
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /in.php HTTP/1.1Host: xdqzpbcgrvkj.ruUser-Agent: Mozilla/4.0Content-Type: application/x-www-form-urlencodedContent-Length: 84Connection: close
Source: global traffic HTTP traffic detected: GET /dtkdvjezlgdvslgbvqqjiiheaxroigff HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pe.suckmycocklameavindustry.inConnection: Keep-Alive
Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://anam0rph.su/in.php
Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://bdcrqgonzmwuehky.nl/in.php
Source: svchost.exe String found in binary or memory: http://img.suckmycocklameavindustry.in/
Source: Hu25VEa8Dr.exe, 00000003.00000002.350134891.0000000002120000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/
Source: msiexec.exe, msiexec.exe, 00000005.00000002.353292307.0000000000409000.00000004.00000001.01000000.0000000A.sdmp, msiexec.exe, 00000005.00000000.351213851.0000000000409000.00000008.00000001.01000000.0000000A.sdmp, msiexec.exe, 00000007.00000000.364458175.0000000000409000.00000008.00000001.01000000.0000000A.sdmp, msiexec.exe, 00000008.00000000.365114158.0000000000409000.00000008.00000001.01000000.0000000A.sdmp, Hu25VEa8Dr.exe, 0BBFF.tmp.4.dr, msoiruj.bat.9.dr, msiexec.exe.4.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Hu25VEa8Dr.exe, 0BBFF.tmp.4.dr, msoiruj.bat.9.dr, msiexec.exe.4.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://orzdwjtvmein.in/in.php
Source: svchost.exe String found in binary or memory: http://pe.suckmycocklameavindustry.in/
Source: svchost.exe, 00000009.00000003.373478974.0000000000130000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://pe.suckmycocklameavindustry.in/DOS_STUBhttp://sc.suckmycocklameavindustry.in/ImageBasehttp://
Source: svchost.exe, 00000009.00000002.381503603.0000000000484000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigff
Source: svchost.exe, 00000009.00000002.381503603.0000000000484000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigff6Tl
Source: svchost.exe, 00000009.00000002.381503603.00000000004D4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.381500240.000000000044A000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigffC:
Source: svchost.exe String found in binary or memory: http://sc.suckmycocklameavindustry.in/
Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://somicrososoft.ru/in.php
Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://xdqzpbcgrvkj.ru/in.php
Source: svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://xdqzpbcgrvkj.ru/in.phphttp://anam0rph.su/in.phphttp://orzdwjtvmein.in/in.phphttp://ygiudewsqh
Source: svchost.exe, svchost.exe, 00000009.00000002.381446071.0000000000020000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://ygiudewsqhct.in/in.php
Source: unknown HTTP traffic detected: POST /in.php HTTP/1.1Host: xdqzpbcgrvkj.ruUser-Agent: Mozilla/4.0Content-Type: application/x-www-form-urlencodedContent-Length: 84Connection: close
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\dtkdvjezlgdvslgbvqqjiiheaxroigff[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: xdqzpbcgrvkj.ru
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E1430 _memset,_memset,_memset,GetTempPathW,GetTempFileNameW,RegOpenKeyExW,RegQueryValueExW,RegSetValueExW,RegCloseKey,URLDownloadToFileW,DeleteFileW,DeleteFileW,SetFileAttributesW,DeleteFileW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,RegOpenKeyExW,RegSetValueExW,RegCloseKey,VirtualFree,CloseHandle,DeleteFileW,DeleteFileW,SetFileAttributesW,DeleteFileW, 9_2_001E1430
Source: global traffic HTTP traffic detected: GET /dtkdvjezlgdvslgbvqqjiiheaxroigff HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pe.suckmycocklameavindustry.inConnection: Keep-Alive
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404EE8
Uses 32bit PE files
Source: Hu25VEa8Dr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FA
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 5_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 5_2_004030FA
Detected potential crypto function
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_00406128 0_2_00406128
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_004046F9 0_2_004046F9
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_004068FF 0_2_004068FF
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_0040F80F 4_2_0040F80F
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_0040F038 4_2_0040F038
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_0040D609 4_2_0040D609
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 5_2_00406128 5_2_00406128
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 5_2_004046F9 5_2_004046F9
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 5_2_004068FF 5_2_004068FF
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 8_2_004017AF 8_2_004017AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E21A0 9_2_001E21A0
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Code function: 2_2_10001000 bedevahetay,LoadLibraryA,GetCommandLineA,PathGetArgsA,RtlZeroMemory,LoadLibraryA,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,SetThreadContext, 2_2_10001000
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 3_2_00402298 PathCombineA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 3_2_00402298
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Code function: 6_2_10001000 zejutuhodomo,GetModuleHandleA,GetCommandLineA,PathGetArgsA,RtlZeroMemory,LoadLibraryA,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,SetThreadContext, 6_2_10001000
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 7_2_00402298 PathCombineA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 7_2_00402298
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 8_2_00401284 NtAllocateVirtualMemory, 8_2_00401284
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 8_2_001E00C0 GetModuleHandleW,VirtualAlloc,GetModuleFileNameW,SetEnvironmentVariableW,GetWindowsDirectoryW,NtQueryInformationProcess,lstrcatW,lstrcatW,CreateFileW,NtCreateSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,CreateProcessW,NtDelayExecution,NtUnmapViewOfSection,NtMapViewOfSection,NtClose,GetThreadContext,NtUnmapViewOfSection,NtUnmapViewOfSection,NtMapViewOfSection,NtResumeThread,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,NtUnmapViewOfSection,NtClose,CloseHandle,VirtualFree,ExitProcess, 8_2_001E00C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00081284 NtAllocateVirtualMemory, 9_2_00081284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00020973 GetProcessHeap,GetVersionExA,NtQueryInformationProcess,NtDelayExecution,VirtualAlloc,GetEnvironmentVariableW,SetEnvironmentVariableW,GetShortPathNameW,wsprintfA,CreateMutexA,GetLastError,SetFileAttributesW,DeleteFileW,VirtualFree,WSAStartup,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,WaitForSingleObject,CloseHandle,NtDelayExecution,SetFileAttributesW,DeleteFileW,VirtualFree,ExitProcess,SetErrorMode, 9_2_00020973
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00022B45 NtDelayExecution,VirtualAlloc,ExpandEnvironmentStringsW,GetTickCount,wsprintfW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,VirtualFree,HeapFree, 9_2_00022B45
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00022E82 NtDelayExecution, 9_2_00022E82
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00022CBA NtDelayExecution,HeapFree,RtlAllocateHeap,wsprintfA,RtlAllocateHeap,lstrlen,HeapFree,HeapFree,ExitProcess, 9_2_00022CBA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_000228B8 NtDelayExecution,VirtualAlloc,GetModuleFileNameW,CreateFileW,GetFileTime,CloseHandle,lstrcpy,RegOpenKeyExA,wsprintfW,RegQueryValueExW,RegCloseKey,ExpandEnvironmentStringsW,GetTickCount,wsprintfW,CloseHandle,CreateFileW,WriteFile,SetFileTime,CloseHandle,CreateProcessW,CloseHandle,ResumeThread,CloseHandle,CloseHandle,VirtualFree,HeapFree, 9_2_000228B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_000223DC NtDelayExecution,GetTickCount,wsprintfW,VirtualAlloc,ExpandEnvironmentStringsW,SetCurrentDirectoryW,lstrcatW,CreateFileW,WriteFile,CloseHandle,LoadLibraryW,GetProcAddress,FreeLibrary,wsprintfA,lstrcpy,RegOpenKeyExA,lstrlen,RegSetValueExA,RegCloseKey,GetSystemDirectoryW,SetCurrentDirectoryW,VirtualFree,HeapFree, 9_2_000223DC
Sample file is different than original file name gathered from version info
Source: Hu25VEa8Dr.exe, 00000004.00000003.350394202.00000000005ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Hu25VEa8Dr.exe
Source: Hu25VEa8Dr.exe, 00000004.00000003.350389547.00000000005E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Hu25VEa8Dr.exe
Source: Hu25VEa8Dr.exe, 00000004.00000003.350397688.00000000005F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Hu25VEa8Dr.exe
Source: Hu25VEa8Dr.exe, 00000004.00000003.350301075.00000000005DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewpdshext.dll.muij% vs Hu25VEa8Dr.exe
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Section loaded: gozekeneka.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Section loaded: zojemilocan.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Section loaded: xuxokuxoka.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Section loaded: jahulocayedo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Section loaded: firozedikami.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Section loaded: yiduyevutog.dll Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Memory allocated: 771D0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Memory allocated: 771D0000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Memory allocated: 771D0000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Memory allocated: 771D0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Memory allocated: 771D0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Memory allocated: 771D0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Memory allocated: 771D0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Memory allocated: 771D0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 771D0000 page execute and read and write Jump to behavior
Source: Zojemilocan.dll.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xuxokuxoka.dll.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Jahulocayedo.dll.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Hu25VEa8Dr.exe ReversingLabs: Detection: 95%
Source: Hu25VEa8Dr.exe Virustotal: Detection: 81%
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe File read: C:\Users\user\Desktop\Hu25VEa8Dr.exe Jump to behavior
Source: Hu25VEa8Dr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Hu25VEa8Dr.exe
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe "C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe" "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe"
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\syswow64\svchost.exe
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Hu25VEa8Dr.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe "C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe" "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\syswow64\svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171 Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe File created: C:\Users\user\AppData\Local\Temp\nshA6F9.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@17/19@7/3
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar, 0_2_00402020
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004041FC
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_004014F0 _memset,_memset,_memset,_memset,_memset,GetTickCount,OpenMutexW,_memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Process32NextW,GetTempPathW,CreateDirectoryW,CreateFileW,WriteFile,CloseHandle,ShellExecuteExW,ExpandEnvironmentStringsW,CreateDirectoryW,CreateDirectoryW,CreateDirectoryW,ExpandEnvironmentStringsW,GetTempPathW,CreateFileW,WriteFile,CloseHandle,ShellExecuteExW,WaitForSingleObject,WaitForSingleObject,FindFirstChangeNotificationW,WaitForSingleObject,FindNextChangeNotification,WaitForSingleObject,GetFileAttributesW, 4_2_004014F0
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\TLS
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\1703032604
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 3_2_00402419 FindResourceA,SizeofResource,LoadResource,LockResource,Sleep,??2@YAPAXI@Z,??_U@YAPAXI@Z, 3_2_00402419
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Command line argument: TLS 4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Command line argument: avp.exe 4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Command line argument: \MSI 4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Command line argument: \msiexec.exe 4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Command line argument: \Temp 4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Command line argument: %USERPROFILE% 4_2_004014F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Command line argument: .exe 4_2_004014F0
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: T:\ldr\CUSTOM\local\Worm65.DLL.PnP\Release\Worm65.DLL.pdb source: svchost.exe, svchost.exe, 00000009.00000003.373478974.0000000000130000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.381475492.00000000001E0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: T:\ldr\CUSTOM\local\local\Release\ADropper.pdb source: Hu25VEa8Dr.exe, Hu25VEa8Dr.exe, 00000004.00000002.351939006.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: svchost.pdb source: svchost.exe, 00000009.00000002.381614429.0000000000CD0000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Unpacked PE file: 3.2.Hu25VEa8Dr.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Unpacked PE file: 4.2.Hu25VEa8Dr.exe.400000.1.unpack
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Unpacked PE file: 7.2.msiexec.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Unpacked PE file: 3.2.Hu25VEa8Dr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Unpacked PE file: 4.2.Hu25VEa8Dr.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Unpacked PE file: 7.2.msiexec.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Unpacked PE file: 8.2.msiexec.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:EW;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Code function: 2_2_10003A20 push eax; ret 2_2_10003A4E
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_00403185 push ecx; ret 4_2_00403198
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Code function: 6_2_10003A20 push eax; ret 6_2_10003A4E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E5565 push ecx; ret 9_2_001E5578
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001EE1CE push 0000006Ah; retf 9_2_001EE1D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405D2E
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\ProgramData\Local Settings\Temp\msoiruj.bat Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\ProgramData\Local Settings\Temp\msoiruj.bat Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\Firozedikami.dll Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe File created: C:\Users\user\AppData\Local\Temp\natigezeholi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\ProgramData\Local Settings\Temp\msoiruj.bat Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe File created: C:\Users\user\AppData\Local\Temp\xuxokuxoka.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\Jahulocayedo.dll Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe File created: C:\Users\user\AppData\Local\Temp\0BBFF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\yiduyevutog.dll Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe File created: C:\Users\user\AppData\Local\Temp\Zojemilocan.dll Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe File created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe File created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Jump to dropped file
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe File created: C:\Users\user\AppData\Local\Temp\Gozekeneka.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\naseropuxeq.dll Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 14108 Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft 00E35EEE Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: vbox qemu qemu 8_2_0040141C
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: qemu qemu 8_2_004017AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: vbox qemu qemu 9_2_0008141C
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe RDTSC instruction interceptor: First address: 0000000000401746 second address: 0000000000401749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\svchost.exe TID: 1732 Thread sleep time: -120000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_00401220 rdtsc 4_2_00401220
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum name: 0 Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Code function: 2_2_004012F0 ??2@YAPAXI@Z,GetCapture,GetMenu,GetMenuItemInfoA,malloc,GetSystemInfo,xupetipe,_ftol,Negefibizoh,fread,fclose,CreateHatchBrush,??2@YAPAXI@Z,Fetomekiratu,bedevahetay, 2_2_004012F0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_00405D07 FindFirstFileA,FindClose, 0_2_00405D07
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405331
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 5_2_00405D07 FindFirstFileA,FindClose, 5_2_00405D07
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 5_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 5_2_00405331
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 5_2_0040263E FindFirstFileA, 5_2_0040263E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E1E80 GetFileAttributesW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,wsprintfW,MoveFileExW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose, 9_2_001E1E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E1700 GetDriveTypeW,wsprintfW,wsprintfW,FindFirstFileW,DeleteFileW,wsprintfW,wsprintfW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,lstrcmpiW,lstrcmpiW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,lstrcmpiW,lstrcmpiW,wsprintfW,DeleteFileW,SetFileAttributesW,DeleteFileW,wsprintfW,SetFileAttributesW,FindNextFileW,FindClose, 9_2_001E1700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E1B70 wsprintfW,FindFirstFileW,RemoveDirectoryW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,FindClose,FindClose, 9_2_001E1B70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E10D0 RegisterClassW,LdrInitializeThunk,_memset,GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,SetErrorMode,CreateWindowExW,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateMessage,DispatchMessageW,GetMessageW, 9_2_001E10D0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe API call chain: ExitProcess graph end node
Source: msiexec.exe, 00000007.00000002.365371579.000000000042D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.365418173.0000000000876000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.365771183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.381464840.0000000000080000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: qemut!
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_00401999 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00401999
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405D2E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00020973 GetProcessHeap,GetVersionExA,NtQueryInformationProcess,NtDelayExecution,VirtualAlloc,GetEnvironmentVariableW,SetEnvironmentVariableW,GetShortPathNameW,wsprintfA,CreateMutexA,GetLastError,SetFileAttributesW,DeleteFileW,VirtualFree,WSAStartup,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateThread,WaitForSingleObject,CloseHandle,NtDelayExecution,SetFileAttributesW,DeleteFileW,VirtualFree,ExitProcess,SetErrorMode, 9_2_00020973
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_00401220 rdtsc 4_2_00401220
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 8_2_00401284 mov ebx, dword ptr fs:[00000030h] 8_2_00401284
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Code function: 8_2_0040141C mov eax, dword ptr fs:[00000030h] 8_2_0040141C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00081284 mov ebx, dword ptr fs:[00000030h] 9_2_00081284
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_0008141C mov eax, dword ptr fs:[00000030h] 9_2_0008141C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00020550 mov ebx, dword ptr fs:[00000030h] 9_2_00020550
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_00020973 mov eax, dword ptr fs:[00000030h] 9_2_00020973
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_000219D1 mov eax, dword ptr fs:[00000030h] 9_2_000219D1
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E10D0 RegisterClassW,LdrInitializeThunk,_memset,GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,SetErrorMode,CreateWindowExW,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateMessage,DispatchMessageW,GetMessageW, 9_2_001E10D0
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_00401999 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00401999
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_00401E7F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00401E7F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E3493 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_001E3493
Source: C:\Windows\SysWOW64\svchost.exe Code function: 9_2_001E2D41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_001E2D41

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 147.75.61.38 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: pe.suckmycocklameavindustry.in
Source: C:\Windows\SysWOW64\svchost.exe Domain query: xdqzpbcgrvkj.ru
Source: C:\Windows\SysWOW64\svchost.exe Domain query: anam0rph.su
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 34.29.71.138 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Section unmapped: C:\Users\user\Desktop\Hu25VEa8Dr.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Section unmapped: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Section unmapped: C:\Users\user\Desktop\Hu25VEa8Dr.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: CD0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 403000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 7EFDE008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 403000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 7EFDE008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Memory allocated: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Memory allocated: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Memory written: C:\Users\user\Desktop\Hu25VEa8Dr.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Memory written: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Code function: 2_2_10001000 bedevahetay,LoadLibraryA,GetCommandLineA,PathGetArgsA,RtlZeroMemory,LoadLibraryA,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,SetThreadContext, 2_2_10001000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process created: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe C:\Users\user\AppData\Local\Temp\Sahofivizu.exe" "C:\Users\user\Desktop\Hu25VEa8Dr.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sahofivizu.exe Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process created: C:\Users\user\Desktop\Hu25VEa8Dr.exe C:\Users\user\Desktop\Hu25VEa8Dr.exe Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe "C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe" "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Lohonibuhod.exe Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe "C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MSI\msiexec.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\syswow64\svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_00401000 GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 4_2_00401000
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 4_2_0040332F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_0040332F
Source: C:\Users\user\Desktop\Hu25VEa8Dr.exe Code function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405A2E
AV process strings found (often used to terminate AV products)
Source: Hu25VEa8Dr.exe Binary or memory string: avp.exe

Stealing of Sensitive Information
barindex
Yara detected Gamarue
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1740, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Gamarue
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1740, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1317431 Sample: Hu25VEa8Dr Startdate: 01/10/2023 Architecture: WINDOWS Score: 100 94 Tries to download HTTP data from a sinkholed server 2->94 96 Snort IDS alert for network traffic 2->96 98 Multi AV Scanner detection for domain / URL 2->98 100 7 other signatures 2->100 12 Hu25VEa8Dr.exe 15 2->12         started        process3 file4 48 C:\Users\user\AppData\...\xuxokuxoka.dll, PE32 12->48 dropped 50 C:\Users\user\AppData\...\natigezeholi.dll, PE32 12->50 dropped 52 C:\Users\user\AppData\...\Zojemilocan.dll, PE32 12->52 dropped 54 2 other malicious files 12->54 dropped 112 Detected unpacking (changes PE section rights) 12->112 114 Detected unpacking (overwrites its own PE header) 12->114 16 Sahofivizu.exe 12->16         started        19 svchost.exe 2 16 12->19         started        signatures5 process6 dnsIp7 70 Antivirus detection for dropped file 16->70 72 Multi AV Scanner detection for dropped file 16->72 74 Contains functionality to inject code into remote processes 16->74 84 4 other signatures 16->84 23 Hu25VEa8Dr.exe 18 16->23         started        64 pe.suckmycocklameavindustry.in 19->64 66 xdqzpbcgrvkj.ru 147.75.61.38, 49166, 80 PACKETUS Switzerland 19->66 68 3 other IPs or domains 19->68 42 C:\ProgramData\Local Settings\...\msoiruj.bat, PE32 19->42 dropped 76 System process connects to network (likely due to code injection or exploit) 19->76 78 Creates an undocumented autostart registry key 19->78 80 Contains functionality to check if Internet connection is working 19->80 82 Contain functionality to detect virtual machines 19->82 file8 signatures9 process10 signatures11 106 Injects a PE file into a foreign processes 23->106 26 Hu25VEa8Dr.exe 2 5 23->26         started        process12 file13 44 C:\Users\user\AppData\Local\...\msiexec.exe, PE32 26->44 dropped 46 C:\Users\user\AppData\Local\Temp\0BBFF.tmp, PE32 26->46 dropped 29 msiexec.exe 15 26->29         started        process14 file15 56 C:\Users\user\AppData\...\yiduyevutog.dll, PE32 29->56 dropped 58 C:\Users\user\AppData\...\naseropuxeq.dll, PE32 29->58 dropped 60 C:\Users\user\AppData\...\Lohonibuhod.exe, PE32 29->60 dropped 62 2 other malicious files 29->62 dropped 116 Antivirus detection for dropped file 29->116 118 Multi AV Scanner detection for dropped file 29->118 120 Detected unpacking (changes PE section rights) 29->120 122 4 other signatures 29->122 33 Lohonibuhod.exe 29->33         started        signatures16 process17 signatures18 86 Antivirus detection for dropped file 33->86 88 Multi AV Scanner detection for dropped file 33->88 90 Writes to foreign memory regions 33->90 92 3 other signatures 33->92 36 msiexec.exe 9 33->36         started        process19 signatures20 102 Sample uses process hollowing technique 36->102 104 Injects a PE file into a foreign processes 36->104 39 msiexec.exe 36->39         started        process21 signatures22 108 Maps a DLL or memory area into another process 39->108 110 Sample uses process hollowing technique 39->110
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.29.71.138
 pe.suckmycocklameavindustry.in United States
2686 ATGS-MMD-ASUS true
147.75.61.38
 xdqzpbcgrvkj.ru Switzerland
54825 PACKETUS true

Private

IP
192.168.2.255

Contacted Domains

Name IP Active
pe.suckmycocklameavindustry.in 34.29.71.138 true
xdqzpbcgrvkj.ru 147.75.61.38 true
anam0rph.su unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://xdqzpbcgrvkj.ru/in.php true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://pe.suckmycocklameavindustry.in/dtkdvjezlgdvslgbvqqjiiheaxroigff true
  • Avira URL Cloud: safe
 unknown