Windows Analysis Report
sample-20240612-unpacked.exe

Overview

General Information

Sample name: sample-20240612-unpacked.exe
Analysis ID: 1542814
MD5: 0a781b3f657871233e03d73dc32279e6
SHA1: c3d1ba24a292c88768514d130a59e28a0cf8471d
SHA256: d883bb8c9c3263f60ae4c75432f17e2e558bfdbaf00936b4452fbe0d666a0a46
Tags: exeuser-verso1
Infos:

Detection

Metasploit
Score: 87
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking mutex)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Copy From or To System Directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: sample-20240612-unpacked.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\Pictures\pressica.exe Avira: detection malicious, Label: TR/AD.Swrort.dxcpq
Found malware configuration
Source: 0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Metasploit {"Type": "Shell Bind TCP", "Listen Port": 20}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Pictures\pressica.exe ReversingLabs: Detection: 50%
Multi AV Scanner detection for submitted file
Source: sample-20240612-unpacked.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00402450 strlen,CryptStringToBinaryA,CryptStringToBinaryA,free, 0_2_00402450
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00401280 _fwprintf,strlen,strlen,CryptBinaryToStringA, 0_2_00401280
Uses 32bit PE files
Source: sample-20240612-unpacked.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: S(]H7p#}ho:P4p__.str4ng3l.ov replaycode: Name error (3)
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_strdup,strlen,_fwprintf,socket,htons,inet_addr,htons,memset,GetCurrentProcessId,htons,strlen,strlen,sendto,recvfrom,strlen, 0_2_00401580
Source: global traffic DNS traffic detected: DNS query: S(]H7p#}ho:P4p__.str4ng3l.ov
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_strdup,strlen,_fwprintf,socket,htons,inet_addr,htons,memset,GetCurrentProcessId,htons,strlen,strlen,sendto,recvfrom,strlen, 0_2_00401580
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00401580 OpenClipboard,GetClipboardData,CloseClipboard,_strdup,strlen,_fwprintf,socket,htons,inet_addr,htons,memset,GetCurrentProcessId,htons,strlen,strlen,sendto,recvfrom,strlen, 0_2_00401580

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000005.00000002.3306192644.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000009.00000002.3306194486.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000007.00000002.2250921540.0000000000461000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0000000A.00000002.2322651335.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2093297747.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Uses 32bit PE files
Source: sample-20240612-unpacked.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000005.00000002.3306192644.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000009.00000002.3306194486.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000007.00000002.2250921540.0000000000461000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 0000000A.00000002.2322651335.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: 00000000.00000002.2093297747.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Metasploit_a6e956c9 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 21855599bc51ec2f71d694d4e0f866f815efe54a42842dfe5f8857811530a686, id = a6e956c9-799e-49f9-b5c5-ac68aaa2dc21, last_modified = 2021-08-23
Source: classification engine Classification label: mal87.troj.evad.winEXE@15/2@3/0
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\Pictures\pressica.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
Source: C:\Users\user\Pictures\pressica.exe Mutant created: \Sessions\1\BaseNamedObjects\toxotidae
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
Source: sample-20240612-unpacked.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: sample-20240612-unpacked.exe ReversingLabs: Detection: 50%
Source: unknown Process created: C:\Users\user\Desktop\sample-20240612-unpacked.exe "C:\Users\user\Desktop\sample-20240612-unpacked.exe"
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*"
Source: C:\Windows\SysWOW64\xcopy.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
Source: unknown Process created: C:\Users\user\Pictures\pressica.exe "C:\Users\user\Pictures\pressica.exe"
Source: C:\Users\user\Pictures\pressica.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\pressica.exe Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
Source: unknown Process created: C:\Users\user\Pictures\pressica.exe "C:\Users\user\Pictures\pressica.exe"
Source: C:\Users\user\Pictures\pressica.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\pressica.exe Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*" Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ifsutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Automated click: OK
Source: C:\Users\user\Pictures\pressica.exe Automated click: OK
Source: C:\Users\user\Pictures\pressica.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: sample-20240612-unpacked.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00401EA0 LoadLibraryA,GetProcAddress,RegCreateKeyExA,GetProcAddress,strlen,RegSetValueExA, 0_2_00401EA0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00402DE6 push ecx; ret 0_2_00402DF9
Drops PE files
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\Pictures\pressica.exe Jump to dropped file
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce VirtualBox Guest Additions Manager Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: sample-20240612-unpacked.exe, 00000000.00000002.2093297747.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, pressica.exe, 00000007.00000002.2250921540.0000000000461000.00000004.00000020.00020000.00000000.sdmp, pressica.exe, 0000000A.00000002.2322651335.00000000006F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00402B8C IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00402B8C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00401EA0 LoadLibraryA,GetProcAddress,RegCreateKeyExA,GetProcAddress,strlen,RegSetValueExA, 0_2_00401EA0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00401CF0 GetProcessHeap,HeapAlloc,memcpy,memset,CreateProcessA, 0_2_00401CF0
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00402FD2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00402FD2
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00402CEE SetUnhandledExceptionFilter, 0_2_00402CEE
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00402B8C IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00402B8C

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Memory allocated: C:\Windows\SysWOW64\mspaint.exe base: 2B00000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Memory allocated: C:\Windows\SysWOW64\mspaint.exe base: 3290000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Memory allocated: C:\Windows\SysWOW64\mspaint.exe base: 2EF0000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00401C60 SetThreadContext,SetThreadContext,VirtualAllocEx,WriteProcessMemory, 0_2_00401C60
Writes to foreign memory regions
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Memory written: C:\Windows\SysWOW64\mspaint.exe base: 2B00000 Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Memory written: C:\Windows\SysWOW64\mspaint.exe base: 3290000 Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Memory written: C:\Windows\SysWOW64\mspaint.exe base: 2EF0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\System32\xcopy.exe" /f /y "C:\Users\user\Desktop\sample-20240612-unpacked.exe" "C:\Users\user\Pictures\pressica.exe*" Jump to behavior
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe Jump to behavior
Source: C:\Users\user\Pictures\pressica.exe Process created: C:\Windows\SysWOW64\mspaint.exe mspaint.exe Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00402E1E cpuid 0_2_00402E1E
Source: C:\Users\user\Desktop\sample-20240612-unpacked.exe Code function: 0_2_00402A7B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00402A7B

Remote Access Functionality
barindex
Yara detected Metasploit Payload
Source: Yara match File source: 0000000C.00000002.3306192530.0000000002EF0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3306192644.0000000002B00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3306194486.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2250921540.0000000000461000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2322651335.00000000006F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2093297747.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542814 Sample: sample-20240612-unpacked.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 87 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 3 other signatures 2->48 7 sample-20240612-unpacked.exe 1 2 2->7         started        11 pressica.exe 1 2->11         started        13 pressica.exe 1 2->13         started        process3 dnsIp4 36 S(]H7p#}ho:P4p__.str4ng3l.ov 7->36 50 Found evasive API chain (may stop execution after checking mutex) 7->50 52 Contains functionality to inject code into remote processes 7->52 54 Writes to foreign memory regions 7->54 15 xcopy.exe 3 7->15         started        18 conhost.exe 7->18         started        20 mspaint.exe 7->20         started        38 S(]H7p#}ho:P4p__.str4ng3l.ov 11->38 56 Antivirus detection for dropped file 11->56 58 Multi AV Scanner detection for dropped file 11->58 60 Allocates memory in foreign processes 11->60 22 conhost.exe 11->22         started        24 mspaint.exe 11->24         started        40 S(]H7p#}ho:P4p__.str4ng3l.ov 13->40 26 conhost.exe 13->26         started        28 mspaint.exe 13->28         started        signatures5 process6 file7 32 C:\Users\user\Pictures\pressica.exe, PE32 15->32 dropped 34 C:\Users\...\pressica.exe:Zone.Identifier, ASCII 15->34 dropped 30 conhost.exe 15->30         started        process8
No contacted IP infos

Contacted Domains

Name IP Active
S(]H7p#}ho:P4p__.str4ng3l.ov unknown unknown