Windows Analysis Report
T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe

Overview

General Information

Sample name: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
renamed because original name is a hash value
Original sample name: TBTAK SAGE TEKLF TALEP VE FYAT TEKLF sxlx..exe
Analysis ID: 1446501
MD5: 456442e5615445a54f15eae38140c50a
SHA1: f81074ce9855601a33b97fb357fbee1bbdd7fcf6
SHA256: 0eca094ac422e8d7b0b58532b5a1fb7a59b4cc6cb6bbe1ec49259ebf10522ae5
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses SMTP (mail sending)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "royallog@fibraunollc.top", "Password": " 7213575aceACE@#$ "}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe ReversingLabs: Detection: 36%
Source: C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Virustotal: Detection: 28% Perma Link
Multi AV Scanner detection for submitted file
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe ReversingLabs: Detection: 36%
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Virustotal: Detection: 28% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.0% probability

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, type: SAMPLE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.7ff77c310000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.7ff77c310000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1972524893.00007FF77C48D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1991858132.00007FF77C43D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1992227700.00007FF77C48D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1980910200.00000286E183A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe PID: 6548, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, type: DROPPED
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 185.174.175.187:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.174.175.187 185.174.175.187
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITLDC-NLUA ITLDC-NLUA
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 185.174.175.187:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: cp8nl.hyperhost.ua
Source: jsc.exe, 00000003.00000002.3233652969.000000000328E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cp8nl.hyperhost.ua
Source: jsc.exe, 00000003.00000002.3233070835.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3233652969.000000000328E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3235153161.0000000006656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: jsc.exe, 00000003.00000002.3235153161.0000000006680000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: jsc.exe, 00000003.00000002.3233652969.000000000328E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3235153161.0000000006656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: jsc.exe, 00000003.00000002.3233070835.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3233652969.000000000328E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3235153161.0000000006656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: jsc.exe, 00000003.00000002.3233652969.000000000328E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3235153161.0000000006656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, 00000000.00000002.1991858132.00007FF77C43D000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidX
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.0.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.0.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, 00000000.00000002.1991858132.00007FF77C43D000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, 00000000.00000002.1980910200.00000286E183A000.00000004.00001000.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3232681836.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.0.dr String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: jsc.exe, 00000003.00000002.3233652969.000000000328E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000003.00000002.3235153161.0000000006656000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, hxAF.cs .Net Code: gcE
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.raw.unpack, hxAF.cs .Net Code: gcE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, type: SAMPLE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.7ff77c310000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.7ff77c310000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, type: DROPPED Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C340560 0_2_00007FF77C340560
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C328F50 0_2_00007FF77C328F50
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C33C160 0_2_00007FF77C33C160
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C33EB10 0_2_00007FF77C33EB10
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C338D40 0_2_00007FF77C338D40
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C343600 0_2_00007FF77C343600
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C32FDA0 0_2_00007FF77C32FDA0
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C342700 0_2_00007FF77C342700
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C337F10 0_2_00007FF77C337F10
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C317EC0 0_2_00007FF77C317EC0
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C343F70 0_2_00007FF77C343F70
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C323720 0_2_00007FF77C323720
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C3357F0 0_2_00007FF77C3357F0
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C32F7F4 0_2_00007FF77C32F7F4
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C341800 0_2_00007FF77C341800
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C333010 0_2_00007FF77C333010
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C334890 0_2_00007FF77C334890
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C3388C0 0_2_00007FF77C3388C0
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C3340D0 0_2_00007FF77C3340D0
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C332934 0_2_00007FF77C332934
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C3269D0 0_2_00007FF77C3269D0
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C3369D0 0_2_00007FF77C3369D0
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C3489D0 0_2_00007FF77C3489D0
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C322A60 0_2_00007FF77C322A60
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C342290 0_2_00007FF77C342290
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C32E2F0 0_2_00007FF77C32E2F0
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C33F360 0_2_00007FF77C33F360
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C33DC30 0_2_00007FF77C33DC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_01769BE2 3_2_01769BE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_01764A98 3_2_01764A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_0176CDA8 3_2_0176CDA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_01763E80 3_2_01763E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_017641C8 3_2_017641C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_065256F0 3_2_065256F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_06523F60 3_2_06523F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_0652DD10 3_2_0652DD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_0652BD18 3_2_0652BD18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_06522AF8 3_2_06522AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_06528BA3 3_2_06528BA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_06520040 3_2_06520040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_06523253 3_2_06523253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 3_2_06525010 3_2_06525010
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: String function: 00007FF77C319B60 appears 51 times
Sample file is different than original file name gathered from version info
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Binary or memory string: OriginalFilename vs T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, 00000000.00000002.1992373539.00007FF77C518000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFunc6DeclareLocal.dllD vs T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, 00000000.00000002.1980910200.00000286E183A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamec25e7689-8eb9-43a0-830e-91b697d7907d.exe4 vs T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, 00000000.00000002.1980910200.00000286E183A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFunc6DeclareLocal.dllD vs T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Binary or memory string: OriginalFilenameFunc6DeclareLocal.dllD vs T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.0.dr Binary or memory string: OriginalFilenameFunc6DeclareLocal.dllD vs T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Yara signature match
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.7ff77c310000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.7ff77c310000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, N43UVggPg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, N43UVggPg.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, Ow96S4wT.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, Ow96S4wT.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, Ow96S4wT.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, Ow96S4wT.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, MjzNdC.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, MjzNdC.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@4/2@1/1
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C322890 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma, 0_2_00007FF77C322890
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe File created: C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe ReversingLabs: Detection: 36%
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Virustotal: Detection: 28%
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe File read: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe "C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe"
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Section loaded: icu.dll Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: Image base 0x140000000 > 0x60000000
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static file information: File size 2070528 > 1048576
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: section name: .managed
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: section name: hydrated
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Static PE information: section name: _RDATA
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.0.dr Static PE information: section name: .managed
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.0.dr Static PE information: section name: hydrated
Source: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.0.dr Static PE information: section name: _RDATA
Creates processes with suspicious names
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe File created: \t#u00dcb#u0130tak sage tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 sxlx..exe
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe File created: \t#u00dcb#u0130tak sage tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 sxlx..exe
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe File created: \t#u00dcb#u0130tak sage tekl#u0130f talep ve f#u0130yat tekl#u0130f#u0130 sxlx..exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe File created: C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe File created: C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe File created: C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Memory allocated: 286DCEF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 1760000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 3240000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 30A0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Window / User API: threadDelayed 5216 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Window / User API: threadDelayed 865 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3176 Thread sleep count: 5216 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -99641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 3176 Thread sleep count: 865 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -99530s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -99313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -99188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -99063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -98938s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -98828s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -98719s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -98594s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -98484s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -98374s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -98262s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -98141s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -98031s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -97922s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -97812s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -97703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -97594s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -97484s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -97370s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -97250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -97141s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -97016s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -96891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -96781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -96672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6408 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C3224C0 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask, 0_2_00007FF77C3224C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99530 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 99063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98374 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98262 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 98031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97370 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 97016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 96891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 96781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 96672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: jsc.exe, 00000003.00000002.3235153161.0000000006640000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllErroM
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C3155C0 RtlAddVectoredExceptionHandler, 0_2_00007FF77C3155C0
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C379808 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF77C379808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 43C000 Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 11FE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C315270 cpuid 0_2_00007FF77C315270
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe Code function: 0_2_00007FF77C31DD30 GetSystemTimeAsFileTime, 0_2_00007FF77C31DD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3232681836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3233652969.000000000328E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3233652969.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3233652969.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1980910200.00000286E183A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe PID: 6548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jsc.exe PID: 6368, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3232681836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3233652969.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1980910200.00000286E183A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe PID: 6548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jsc.exe PID: 6368, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 3.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e187aac8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe.286e1840090.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3232681836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3233652969.000000000328E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3233652969.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3233652969.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1980910200.00000286E183A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe PID: 6548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jsc.exe PID: 6368, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446501 Sample: T#U00dcB#U0130TAK SAGE TEKL... Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 19 cp8nl.hyperhost.ua 2->19 23 Found malware configuration 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for dropped file 2->27 29 6 other signatures 2->29 7 T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe 3 2->7         started        signatures3 process4 file5 17 T#U00dcB#U0130TAK ...30F#U0130 sxlx..exe, PE32+ 7->17 dropped 31 Writes to foreign memory regions 7->31 33 Allocates memory in foreign processes 7->33 35 Injects a PE file into a foreign processes 7->35 11 jsc.exe 2 7->11         started        15 conhost.exe 7->15         started        signatures6 process7 dnsIp8 21 cp8nl.hyperhost.ua 185.174.175.187, 49704, 587 ITLDC-NLUA Ukraine 11->21 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->39 41 Tries to steal Mail credentials (via file / registry access) 11->41 43 2 other signatures 11->43 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.174.175.187
 cp8nl.hyperhost.ua Ukraine
21100 ITLDC-NLUA true

Contacted Domains

Name IP Active
cp8nl.hyperhost.ua 185.174.175.187 true