Windows Analysis Report
message.com.exe

Overview

General Information

Sample name: message.com.exe
Analysis ID: 1446503
MD5: e5128ece1b9916a6df7cd56d66c193c2
SHA1: c99f687b182f3dee71e8434360595832ea431075
SHA256: 6c37d14d5ad674e4c0fa8df0a999be6b27399936c9ff16f7fb30b802addb7b4c
Tags: exe
Infos:

Detection

MyDoom
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MyDoom
AI detected suspicious sample
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to search for IE or Outlook window (often done to steal information)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: message.com.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\services.exe Avira: detection malicious, Label: BDS/Backdoor.fszhy
Source: C:\Windows\java.exe Avira: detection malicious, Label: WORM/Mydoom.O.1
Source: C:\Windows\services.exe Avira: detection malicious, Label: BDS/Backdoor.fszhy
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\services.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\services.exe Virustotal: Detection: 84% Perma Link
Source: C:\Windows\java.exe ReversingLabs: Detection: 97%
Source: C:\Windows\java.exe Virustotal: Detection: 91% Perma Link
Source: C:\Windows\services.exe ReversingLabs: Detection: 100%
Source: C:\Windows\services.exe Virustotal: Detection: 84% Perma Link
Multi AV Scanner detection for submitted file
Source: message.com.exe ReversingLabs: Detection: 97%
Source: message.com.exe Virustotal: Detection: 91% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.3% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\services.exe Joe Sandbox ML: detected
Source: C:\Windows\java.exe Joe Sandbox ML: detected
Source: C:\Windows\services.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: message.com.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: message.com.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Spreading
barindex
Yara detected MyDoom
Source: Yara match File source: 8.2.java.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.message.com.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: message.com.exe PID: 6888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: java.exe PID: 7548, type: MEMORYSTR
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 0_2_005052AD
Source: C:\Windows\java.exe Code function: 8_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 8_2_005052AD
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior

Software Vulnerabilities
barindex
Exploit detected, runtime environment starts unknown processes
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49705 -> 15.124.29.93:1034
Source: global traffic TCP traffic: 192.168.2.8:49712 -> 4.240.78.155:1034
Source: global traffic TCP traffic: 192.168.2.8:49713 -> 24.196.145.49:1034
Source: global traffic TCP traffic: 192.168.2.8:49715 -> 159.134.165.119:1034
Source: global traffic TCP traffic: 192.168.2.8:49716 -> 16.91.195.90:1034
Source: unknown TCP traffic detected without corresponding DNS query: 15.124.29.93
Source: unknown TCP traffic detected without corresponding DNS query: 15.124.29.93
Source: unknown TCP traffic detected without corresponding DNS query: 15.124.29.93
Source: unknown TCP traffic detected without corresponding DNS query: 15.124.29.93
Source: unknown TCP traffic detected without corresponding DNS query: 15.124.29.93
Source: unknown TCP traffic detected without corresponding DNS query: 4.240.78.155
Source: unknown TCP traffic detected without corresponding DNS query: 4.240.78.155
Source: unknown TCP traffic detected without corresponding DNS query: 4.240.78.155
Source: unknown TCP traffic detected without corresponding DNS query: 4.240.78.155
Source: unknown TCP traffic detected without corresponding DNS query: 4.240.78.155
Source: unknown TCP traffic detected without corresponding DNS query: 24.196.145.49
Source: unknown TCP traffic detected without corresponding DNS query: 24.196.145.49
Source: unknown TCP traffic detected without corresponding DNS query: 24.196.145.49
Source: unknown TCP traffic detected without corresponding DNS query: 24.196.145.49
Source: unknown TCP traffic detected without corresponding DNS query: 24.196.145.49
Source: unknown TCP traffic detected without corresponding DNS query: 159.134.165.119
Source: unknown TCP traffic detected without corresponding DNS query: 159.134.165.119
Source: unknown TCP traffic detected without corresponding DNS query: 159.134.165.119
Source: unknown TCP traffic detected without corresponding DNS query: 159.134.165.119
Source: unknown TCP traffic detected without corresponding DNS query: 159.134.165.119
Source: unknown TCP traffic detected without corresponding DNS query: 16.91.195.90
Source: unknown TCP traffic detected without corresponding DNS query: 16.91.195.90
Source: unknown TCP traffic detected without corresponding DNS query: 16.91.195.90
Source: unknown TCP traffic detected without corresponding DNS query: 16.91.195.90
Source: unknown TCP traffic detected without corresponding DNS query: 16.91.195.90
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_00506AB8 select,recv, 0_2_00506AB8
Source: message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: HLOToFrom%s %sSMTPServerSoftware\Microsoft\%s %s Manager\%ssInternetAccountmx.mail.smtp..logzincite"%s"servicesurlmon.dllURLDownloadToCacheFileAhttp://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.com/web/results?q=%s&kgs=0&kls=0&n=%dhttp://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=&num=%dhttp://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s%s+%s-contact+replymailtoU equals www.yahoo.com (Yahoo)
Source: message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s
Source: message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c
Source: message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.altavista.com/web/results?q=%s&kgs=0&kls=0
Source: message.com.exe, message.com.exe, 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://denmark.smartscre_
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://denmark.smartscre_curlrcom
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://europe.d
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://europe.dbgcreepp
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://southkoreregid.1991-06.com.microsoftza
Source: message.com.exe, 00000000.00000002.1500711357.00000000005DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://unitUSOPrivaten.micrp
Source: message.com.exe, 00000000.00000002.1500711357.00000000005B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://unitedstates2.ss.wd.microsoft
Source: message.com.exe, 00000000.00000002.1500711357.00000000005B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected MyDoom
Source: Yara match File source: 8.2.java.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.message.com.exe.500000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2620386663.0000000000501000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1500589975.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: message.com.exe PID: 6888, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: java.exe PID: 7548, type: MEMORYSTR
Creates files inside the system directory
Source: C:\Users\user\Desktop\message.com.exe File created: C:\Windows\services.exe Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe File created: C:\Windows\java.exe Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe File created: C:\Windows\java.exe Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe File created: C:\Windows\java.exe\:Zone.Identifier:$DATA Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\message.com.exe File deleted: C:\Windows\java.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_00507730 0_2_00507730
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_005011C9 0_2_005011C9
Source: C:\Windows\java.exe Code function: 8_2_00507730 8_2_00507730
Source: C:\Windows\java.exe Code function: 8_2_005011C9 8_2_005011C9
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\services.exe BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C
One or more processes crash
Source: C:\Users\user\Desktop\message.com.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 1196
Uses 32bit PE files
Source: message.com.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.spre.expl.evad.winEXE@8/10@0/6
Source: C:\Windows\java.exe Mutant created: \Sessions\1\BaseNamedObjects\701188root701188root7701188root701188root77
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6888
Source: C:\Users\user\Desktop\message.com.exe File created: C:\Users\user\AppData\Local\Temp\zincite.log Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: message.com.exe ReversingLabs: Detection: 97%
Source: message.com.exe Virustotal: Detection: 91%
Source: C:\Users\user\Desktop\message.com.exe File read: C:\Users\user\Desktop\message.com.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\message.com.exe "C:\Users\user\Desktop\message.com.exe"
Source: C:\Users\user\Desktop\message.com.exe Process created: C:\Windows\services.exe "C:\Windows\services.exe"
Source: C:\Users\user\Desktop\message.com.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 1196
Source: unknown Process created: C:\Windows\java.exe "C:\Windows\java.exe"
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe "C:\Users\user\AppData\Local\Temp\services.exe"
Source: unknown Process created: C:\Windows\services.exe "C:\Windows\services.exe"
Source: C:\Users\user\Desktop\message.com.exe Process created: C:\Windows\services.exe "C:\Windows\services.exe" Jump to behavior
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe "C:\Users\user\AppData\Local\Temp\services.exe" Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\java.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\services.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState, 0_2_00503620
PE file contains sections with non-standard names
Source: services.exe.0.dr Static PE information: section name: UPX2
Source: services.exe.8.dr Static PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_0050A42D push ds; ret 0_2_0050A42E
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_0050DEA6 push ds; ret 0_2_0050DEBE
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_0050A501 push ecx; retf 0_2_0050A53F
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_0050A50F push ecx; retf 0_2_0050A53F
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_00509BA2 push edx; retf 0_2_00509BAB
Source: C:\Windows\services.exe Code function: 2_2_00405A55 push es; iretd 2_2_00405A8E
Source: C:\Windows\java.exe Code function: 8_2_0050A42D push ds; ret 8_2_0050A42E
Source: C:\Windows\java.exe Code function: 8_2_0050DEA6 push ds; ret 8_2_0050DEBE
Source: C:\Windows\java.exe Code function: 8_2_0050A501 push ecx; retf 8_2_0050A53F
Source: C:\Windows\java.exe Code function: 8_2_0050A50F push ecx; retf 8_2_0050A53F
Source: C:\Windows\java.exe Code function: 8_2_00509BA2 push edx; retf 8_2_00509BAB
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\message.com.exe File created: C:\Windows\services.exe Jump to dropped file
Source: C:\Windows\java.exe File created: C:\Users\user\AppData\Local\Temp\services.exe Jump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\java.exe
Source: C:\Users\user\Desktop\message.com.exe Executable created and started: C:\Windows\services.exe Jump to behavior
Exploit detected, runtime environment dropped PE file
Source: C:\Windows\java.exe File created: services.exe.8.dr Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\message.com.exe File created: C:\Windows\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\message.com.exe File created: C:\Windows\services.exe Jump to dropped file
Source: C:\Windows\java.exe File created: C:\Users\user\AppData\Local\Temp\services.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\message.com.exe File created: C:\Windows\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\message.com.exe File created: C:\Windows\services.exe Jump to dropped file
Source: C:\Users\user\Desktop\message.com.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM Jump to behavior
Source: C:\Windows\services.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services Jump to behavior
Source: C:\Windows\services.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\services.exe Window / User API: threadDelayed 1426 Jump to behavior
Source: C:\Windows\java.exe Window / User API: threadDelayed 1380 Jump to behavior
Source: C:\Windows\java.exe Window / User API: threadDelayed 7702 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Window / User API: threadDelayed 2230 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe Window / User API: threadDelayed 7767 Jump to behavior
Source: C:\Windows\services.exe Window / User API: threadDelayed 9361 Jump to behavior
Source: C:\Windows\services.exe Window / User API: threadDelayed 638 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\java.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\services.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\message.com.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\message.com.exe TID: 6732 Thread sleep time: -56000s >= -30000s Jump to behavior
Source: C:\Windows\services.exe TID: 6380 Thread sleep count: 1426 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 7576 Thread sleep count: 1380 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 7576 Thread sleep time: -1104000s >= -30000s Jump to behavior
Source: C:\Windows\java.exe TID: 7552 Thread sleep count: 44 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 7576 Thread sleep count: 7702 > 30 Jump to behavior
Source: C:\Windows\java.exe TID: 7576 Thread sleep time: -6161600s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572 Thread sleep count: 2230 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572 Thread sleep time: -557500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572 Thread sleep count: 7767 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 7572 Thread sleep time: -1941750s >= -30000s Jump to behavior
Source: C:\Windows\services.exe TID: 7736 Thread sleep count: 9361 > 30 Jump to behavior
Source: C:\Windows\services.exe TID: 7736 Thread sleep time: -2340250s >= -30000s Jump to behavior
Source: C:\Windows\services.exe TID: 7736 Thread sleep count: 638 > 30 Jump to behavior
Source: C:\Windows\services.exe TID: 7736 Thread sleep time: -159500s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\message.com.exe Last function: Thread delayed
Source: C:\Windows\services.exe Last function: Thread delayed
Source: C:\Windows\services.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h 0_2_00505717
Source: C:\Windows\java.exe Code function: 8_2_00505717 GetSystemTime followed by cmp: cmp word ptr [ebp-10h], 07dch and CTI: jbe 00505758h 8_2_00505717
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 0_2_005052AD
Source: C:\Windows\java.exe Code function: 8_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, 8_2_005052AD
Source: C:\Users\user\Desktop\message.com.exe Thread delayed: delay time: 56000 Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Windows\java.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: java.exe, 00000008.00000002.2622640497.000000000056E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld}
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: services.exe, 00000002.00000002.2622723854.0000000000812000.00000004.00000020.00020000.00000000.sdmp, services.exe, 0000000B.00000002.2624896857.0000000000800000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: services.exe, 00000009.00000002.2622857477.0000000000812000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: message.com.exe, 00000000.00000002.1500711357.000000000059E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\services.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\message.com.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_00505A45 LdrInitializeThunk,lstrcpy,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcat,lstrcat,lstrcpy,lstrcpy, 0_2_00505A45
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_00503620 GetModuleHandleA,LoadLibraryA,GetProcAddress,InternetGetConnectedState, 0_2_00503620
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_00504E00 GetProcessHeap,RtlAllocateHeap,CreateFileA,ReadFile,ReadFile,FindCloseChangeNotification,GetProcessHeap,HeapFree, 0_2_00504E00
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\message.com.exe Process created: C:\Windows\services.exe "C:\Windows\services.exe" Jump to behavior
Source: C:\Windows\java.exe Process created: C:\Users\user\AppData\Local\Temp\services.exe "C:\Users\user\AppData\Local\Temp\services.exe" Jump to behavior
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA, 0_2_005032CB
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_005032CB lstrlen,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeZoneInformation,lstrcat,wsprintfA, 0_2_005032CB
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe
Contains functionality to search for IE or Outlook window (often done to steal information)
Source: C:\Users\user\Desktop\message.com.exe Code function: 0_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread, 0_2_0050311C
Source: C:\Windows\java.exe Code function: 8_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetModuleHandleA,GetProcAddress, 8_2_0050311C
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\services.exe Code function: 2_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle, 2_2_00401F0E
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446503 Sample: message.com.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 34 Antivirus / Scanner detection for submitted sample 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected MyDoom 2->38 40 5 other signatures 2->40 6 java.exe 1 2->6         started        10 message.com.exe 1 5 2->10         started        12 services.exe 2->12         started        process3 file4 22 C:\Users\user\AppData\Local\...\services.exe, PE32 6->22 dropped 42 Antivirus detection for dropped file 6->42 44 Multi AV Scanner detection for dropped file 6->44 46 Machine Learning detection for dropped file 6->46 52 2 other signatures 6->52 14 services.exe 6->14         started        24 C:\Windows\services.exe, PE32 10->24 dropped 26 C:\Windows\java.exe, PE32 10->26 dropped 48 Drops executables to the windows directory (C:\Windows) and starts them 10->48 50 Drops PE files with benign system names 10->50 17 services.exe 1 1 10->17         started        20 WerFault.exe 19 16 10->20         started        signatures5 process6 dnsIp7 28 4.240.78.155, 1034, 49712 LEVEL3US United States 17->28 30 15.124.29.93, 1034, 49705 HPESUS United States 17->30 32 4 other IPs or domains 17->32 54 Antivirus detection for dropped file 17->54 56 Multi AV Scanner detection for dropped file 17->56 58 Machine Learning detection for dropped file 17->58 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
15.124.29.93
 unknown United States
1874 HPESUS false
4.240.78.155
 unknown United States
3356 LEVEL3US false
159.134.165.119
 unknown Ireland
5466 EIRCOMInternetHouseIE false
16.91.195.90
 unknown United States
unknown unknown false
24.196.145.49
 unknown United States
20115 CHARTER-20115US false

Private

IP
192.168.1.64