Windows Analysis Report
https://zip-store.oss-ap-southeast-1.aliyuncs.com/sep.zip

Overview

General Information

Sample URL: https://zip-store.oss-ap-southeast-1.aliyuncs.com/sep.zip
Analysis ID: 1545525
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
LummaC encrypted strings found
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Sigma detected: PUA - Netcat Suspicious Execution
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tmighmmaaf Avira: detection malicious, Label: HEUR/AGEN.1318482
Found malware configuration
Source: OpenWith.exe.2196.14.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["seallysl.site", "dilemmadu.site", "goalyfeastz.site", "servicedny.site", "faulteyotk.site", "opposezmny.site", "contemteny.site", "forbidstow.site", "authorisev.site"], "Build id": "tLYMe5--111"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tmighmmaaf ReversingLabs: Detection: 72%
Source: C:\Users\user\Desktop\extract\Setup.exe ReversingLabs: Detection: 13%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tmighmmaaf Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: servicedny.site
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: authorisev.site
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: faulteyotk.site
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: dilemmadu.site
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: contemteny.site
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: goalyfeastz.site
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: opposezmny.site
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: seallysl.site
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: forbidstow.site
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: tLYMe5--111
Source: unknown HTTPS traffic detected: 47.79.48.189:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: Binary string: RmClient.pdbUGP source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2355674525.0000000002E6E000.00000008.00000001.01000000.00000000.sdmp, tmighmmaaf.11.dr
Source: Binary string: wntdll.pdbUGP source: more.com, 0000000B.00000002.2209329497.0000000004208000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.2210950320.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356465597.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356212668.0000000004D20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: more.com, 0000000B.00000002.2209329497.0000000004208000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.2210950320.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356465597.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356212668.0000000004D20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RmClient.pdb source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2355674525.0000000002E6E000.00000008.00000001.01000000.00000000.sdmp, tmighmmaaf.11.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-x64-cygwin-sans-NAS\jdk8u381\237\build\windows-x64\jdk\objs\javaw_objs\javaw.pdb source: nc.exe, 0000000A.00000002.2023720198.00007FF7815A9000.00000002.00000001.01000000.00000009.sdmp, nc.exe, 0000000A.00000000.1940374271.00007FF7815A9000.00000002.00000001.01000000.00000009.sdmp, more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF781587A9C FindFirstFileA,FindNextFileA,FindClose, 10_2_00007FF781587A9C
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A1F90 FindFirstFileExW, 10_2_00007FF7815A1F90

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: seallysl.site
Source: Malware configuration extractor URLs: dilemmadu.site
Source: Malware configuration extractor URLs: goalyfeastz.site
Source: Malware configuration extractor URLs: servicedny.site
Source: Malware configuration extractor URLs: faulteyotk.site
Source: Malware configuration extractor URLs: opposezmny.site
Source: Malware configuration extractor URLs: contemteny.site
Source: Malware configuration extractor URLs: forbidstow.site
Source: Malware configuration extractor URLs: authorisev.site
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /sep.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: zip-store.oss-ap-southeast-1.aliyuncs.comConnection: Keep-Alive
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: Phttp://www.facebook.com/sharer.php?s=100&p[title]=GreenCloud Printer&p[summary]= equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: zip-store.oss-ap-southeast-1.aliyuncs.com
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://127.0.0.1:%d
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Setup.exe, 00000007.00000002.2045068178.0000000003C59000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1910438310.00000000009EA000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: http://domain.com/yourfile
Source: Setup.exe, 00000007.00000002.2045068178.0000000003C59000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1910438310.00000000009EA000.00000002.00000001.01000000.00000005.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://download.obviousidea.com/update
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://download.obviousidea.com/updateU
Source: Setup.exe, 00000007.00000002.2045068178.0000000003709000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.0000000000401000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://fastmm.sourceforge.net).
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://go.likr.it/gcp_emptylistopenU
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://support.obviousidea.com/generateEvent.php?
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://support.obviousidea.com/greencloud/send_stats.php
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://support.obviousidea.com/greencloud/tutorial.php?lng=%LANG%openU
Source: Setup.exe, 00000007.00000002.2044717170.0000000002B63000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://support.obviousidea.com/send_log.php?id=GCPrinter
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://twitter.com/intent/tweet?source=photolikr&text=open
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Setup.exe, 00000007.00000000.1909608349.000000000090B000.00000020.00000001.01000000.00000005.sdmp, Setup.exe, 00000007.00000002.2045068178.0000000003C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.indyproject.org/
Source: more.com, 0000000B.00000002.2210091351.000000000456B000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, OpenWith.exe, 0000000E.00000002.2356345873.0000000005081000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.mycompanyisgreen.org/?from=greencloudopenU
Source: Setup.exe, 00000007.00000002.2045068178.0000000003C59000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1910438310.00000000009EA000.00000002.00000001.01000000.00000005.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.obviousidea.com
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.obviousidea.com/
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.obviousidea.com/%LANG%/windows-software/greencloud-printer/
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.obviousidea.com/windows-software/greencloud-printer/
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.obviousidea.com/windows-software/greencloud-printer/open
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.obviousidea.com/windows-software/greencloud-printer/openU
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: Setup.exe, 00000007.00000002.2043808392.000000000091A000.00000004.00000001.01000000.00000005.sdmp, Setup.exe, 00000007.00000000.1910327082.0000000000918000.00000008.00000001.01000000.00000005.sdmp, Setup.exe, 00000007.00000002.2045068178.0000000003C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: Setup.exe, 00000007.00000002.2043808392.000000000091A000.00000004.00000001.01000000.00000005.sdmp, Setup.exe, 00000007.00000000.1910327082.0000000000918000.00000008.00000001.01000000.00000005.sdmp, Setup.exe, 00000007.00000002.2045068178.0000000003C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll-1.2.3rbr
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/v2/auth
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://api.dropboxapi.com/2/sharing/create_shared_link_with_settings
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://api.dropboxapi.com/2/users/get_current_accountU
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://api.dropboxapi.com/oauth2/tokenU
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://content.dropboxapi.com/2/files/upload
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://drive.google.com/
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://sandbox.evernote.com/OAuth.action
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://sandbox.evernote.com/oauth
Source: more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.dropbox.com/oauth2/authorize
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.googleapis.com/auth/drive.file
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.googleapis.com/drive/v2/filesU
Source: Setup.exe, 00000007.00000002.2045068178.0000000003725000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000007.00000000.1909608349.000000000041D000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.googleapis.com/upload/drive/v2/files?uploadType=resumable
Source: wget.exe, 00000002.00000002.1779696057.0000000002AAD000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr String found in binary or memory: https://zip-store.oss-ap-southeast-1.aliyuncs.com/sep.zip
Source: wget.exe, 00000002.00000002.1779449220.00000000001F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zip-store.oss-ap-southeast-1.aliyuncs.com/sep.zipA9
Source: wget.exe, 00000002.00000002.1779449220.00000000001F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zip-store.oss-ap-southeast-1.aliyuncs.com/sep.zipL9~.ER
Source: wget.exe, 00000002.00000002.1779449220.00000000001F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zip-store.oss-ap-southeast-1.aliyuncs.com/sep.zipL=6PRA9~#GR
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 47.79.48.189:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary
barindex
Drops large PE files
Source: C:\Windows\SysWOW64\7za.exe File dump: Setup.exe.3.dr 348869242 Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\Desktop\extract\Setup.exe Code function: 7_2_004169A5 NtQuerySystemInformation, 7_2_004169A5
Detected potential crypto function
Source: C:\Users\user\Desktop\extract\Setup.exe Code function: 7_2_00418C54 7_2_00418C54
Source: C:\Users\user\Desktop\extract\Setup.exe Code function: 7_2_00418A70 7_2_00418A70
Source: C:\Users\user\Desktop\extract\Setup.exe Code function: 7_2_00418CF4 7_2_00418CF4
Source: C:\Users\user\Desktop\extract\Setup.exe Code function: 7_2_0041896C 7_2_0041896C
Source: C:\Users\user\Desktop\extract\Setup.exe Code function: 7_2_00418D34 7_2_00418D34
Source: C:\Users\user\Desktop\extract\Setup.exe Code function: 7_2_00418B90 7_2_00418B90
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78159EA5C 10_2_00007FF78159EA5C
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A6A3C 10_2_00007FF7815A6A3C
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF781589ABC 10_2_00007FF781589ABC
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78159FACC 10_2_00007FF78159FACC
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A3A14 10_2_00007FF7815A3A14
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815921D8 10_2_00007FF7815921D8
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF781591CD8 10_2_00007FF781591CD8
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A84D8 10_2_00007FF7815A84D8
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF781598414 10_2_00007FF781598414
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A66C4 10_2_00007FF7815A66C4
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78159469C 10_2_00007FF78159469C
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A1D84 10_2_00007FF7815A1D84
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78159EA5C 10_2_00007FF78159EA5C
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF781598E00 10_2_00007FF781598E00
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78159CDFC 10_2_00007FF78159CDFC
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78158DDD8 10_2_00007FF78158DDD8
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78158E05C 10_2_00007FF78158E05C
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815940E0 10_2_00007FF7815940E0
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A1F90 10_2_00007FF7815A1F90
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78159D808 10_2_00007FF78159D808
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A67A8 10_2_00007FF7815A67A8
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_050AD516 14_2_050AD516
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_05086D4E 14_2_05086D4E
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_050B680F 14_2_050B680F
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_0508A86E 14_2_0508A86E
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_0509FB7E 14_2_0509FB7E
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_0509FF8E 14_2_0509FF8E
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_050A1A2E 14_2_050A1A2E
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_0508D67E 14_2_0508D67E
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_050A3A9E 14_2_050A3A9E
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_05088C3E 14_2_05088C3E
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_050A589E 14_2_050A589E
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: String function: 00007FF78158115C appears 33 times
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: String function: 00007FF781586630 appears 48 times
One or more processes crash
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 448
PE file contains more sections than normal
Source: Setup.exe.3.dr Static PE information: Number of sections : 11 > 10
Source: Setup.exe.3.dr Static PE information: Section: .reloc IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal100.troj.evad.win@15/13@1/1
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF781586728 GetLastError,FormatMessageA,MessageBoxA,fwprintf,LocalFree, 10_2_00007FF781586728
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2196
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
Source: C:\Users\user\Desktop\extract\Setup.exe File created: C:\Users\user\AppData\Local\Temp\59186a90 Jump to behavior
Source: Yara match File source: 7.0.Setup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2045068178.0000000003709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.1909608349.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\extract\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: nc.exe String found in binary or memory: sun/launcher/LauncherHelper
Source: nc.exe String found in binary or memory: -help
Source: OpenWith.exe String found in binary or memory: wild-stop-dirs
Source: OpenWith.exe String found in binary or memory: more-help
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://zip-store.oss-ap-southeast-1.aliyuncs.com/sep.zip" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://zip-store.oss-ap-southeast-1.aliyuncs.com/sep.zip"
Source: unknown Process created: C:\Windows\SysWOW64\7za.exe 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\sep.zip"
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\extract\Setup.exe "C:\Users\user\Desktop\extract\Setup.exe"
Source: C:\Users\user\Desktop\extract\Setup.exe Process created: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe
Source: C:\Users\user\Desktop\extract\Setup.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\SysWOW64\OpenWith.exe C:\Windows\SysWOW64\OpenWith.exe
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 448
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://zip-store.oss-ap-southeast-1.aliyuncs.com/sep.zip" Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Process created: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\SysWOW64\OpenWith.exe C:\Windows\SysWOW64\OpenWith.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe Section loaded: 7z.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Automated click: OK
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Automated click: OK
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: RmClient.pdbUGP source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2355674525.0000000002E6E000.00000008.00000001.01000000.00000000.sdmp, tmighmmaaf.11.dr
Source: Binary string: wntdll.pdbUGP source: more.com, 0000000B.00000002.2209329497.0000000004208000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.2210950320.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356465597.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356212668.0000000004D20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: more.com, 0000000B.00000002.2209329497.0000000004208000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000B.00000002.2210950320.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356465597.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356212668.0000000004D20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RmClient.pdb source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2355674525.0000000002E6E000.00000008.00000001.01000000.00000000.sdmp, tmighmmaaf.11.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-x64-cygwin-sans-NAS\jdk8u381\237\build\windows-x64\jdk\objs\javaw_objs\javaw.pdb source: nc.exe, 0000000A.00000002.2023720198.00007FF7815A9000.00000002.00000001.01000000.00000009.sdmp, nc.exe, 0000000A.00000000.1940374271.00007FF7815A9000.00000002.00000001.01000000.00000009.sdmp, more.com, 0000000B.00000002.2210091351.00000000045B4000.00000004.00000800.00020000.00000000.sdmp, OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF781586A04 LoadLibraryA,GetProcAddress,GetProcAddress, 10_2_00007FF781586A04
PE file contains sections with non-standard names
Source: Setup.exe.3.dr Static PE information: section name: .didata
Source: nc.exe.7.dr Static PE information: section name: _RDATA
Source: tmighmmaaf.11.dr Static PE information: section name: lgwgx
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_050A8B9E push eax; ret 14_2_050A8BCC
Drops PE files
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\tmighmmaaf Jump to dropped file
Source: C:\Users\user\Desktop\extract\Setup.exe File created: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\Desktop\extract\Setup.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\tmighmmaaf Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\more.com Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TMIGHMMAAF
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\extract\Setup.exe API/Special instruction interceptor: Address: 6C517C44
Source: C:\Users\user\Desktop\extract\Setup.exe API/Special instruction interceptor: Address: 6C517945
Source: C:\Windows\SysWOW64\more.com API/Special instruction interceptor: Address: 6C513B54
Source: C:\Windows\SysWOW64\OpenWith.exe API/Special instruction interceptor: Address: 42DC17
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\more.com Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmighmmaaf Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe API coverage: 6.1 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF781587A9C FindFirstFileA,FindNextFileA,FindClose, 10_2_00007FF781587A9C
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A1F90 FindFirstFileExW, 10_2_00007FF7815A1F90
Source: OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: Setup.exe, 00000007.00000002.2044124589.0000000000E67000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: OpenWith.exe, 0000000E.00000002.2356345873.00000000050CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: wget.exe, 00000002.00000002.1779575622.0000000000A98000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\extract\Setup.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\OpenWith.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78159B26C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00007FF78159B26C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF781586A04 LoadLibraryA,GetProcAddress,GetProcAddress, 10_2_00007FF781586A04
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\extract\Setup.exe Code function: 7_2_00417075 mov eax, dword ptr fs:[00000030h] 7_2_00417075
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 14_2_0508357E mov eax, dword ptr fs:[00000030h] 14_2_0508357E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A2F34 GetProcessHeap, 10_2_00007FF7815A2F34
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78159B26C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00007FF78159B26C
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78158A92C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00007FF78158A92C
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78158B1C8 SetUnhandledExceptionFilter, 10_2_00007FF78158B1C8
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78158AFE4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00007FF78158AFE4

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\extract\Setup.exe NtSetInformationThread: Direct from: 0x417D16 Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe NtQuerySystemInformation: Direct from: 0x76EF7B2E Jump to behavior
LummaC encrypted strings found
Source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: servicedny.site
Source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: authorisev.site
Source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: faulteyotk.site
Source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: dilemmadu.site
Source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: contemteny.site
Source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: goalyfeastz.site
Source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: opposezmny.site
Source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: seallysl.site
Source: more.com, 0000000B.00000002.2209027042.00000000028A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: forbidstow.site
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\extract\Setup.exe Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\SysWOW64\OpenWith.exe base: 42B2C0 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\SysWOW64\OpenWith.exe base: 2C6D008 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Windows\SysWOW64\OpenWith.exe base: 2E10000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\extract\Setup.exe Process created: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\SysWOW64\OpenWith.exe C:\Windows\SysWOW64\OpenWith.exe Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://zip-store.oss-ap-southeast-1.aliyuncs.com/sep.zip" > cmdline.out 2>&1
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A8320 cpuid 10_2_00007FF7815A8320
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\wget.exe Queries volume information: C:\Users\user\Desktop\download VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\extract\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\59186a90 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF78158AED0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 10_2_00007FF78158AED0
Source: C:\Users\user\AppData\Roaming\kfqyosirg\GGTUHJTYJNH\nc.exe Code function: 10_2_00007FF7815A6A3C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 10_2_00007FF7815A6A3C
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545525 URL: https://zip-store.oss-ap-so... Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 43 zip-store.oss-ap-southeast-1.aliyuncs.com 2->43 55 Found malware configuration 2->55 57 Antivirus detection for dropped file 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 5 other signatures 2->61 9 Setup.exe 5 2->9         started        13 7za.exe 2 2->13         started        15 cmd.exe 2 2->15         started        signatures3 process4 file5 39 C:\Users\user\AppData\Roaming\...\nc.exe, PE32+ 9->39 dropped 63 Multi AV Scanner detection for dropped file 9->63 65 Maps a DLL or memory area into another process 9->65 67 Switches to a custom stack to bypass stack traces 9->67 69 Found direct / indirect Syscall (likely to bypass EDR) 9->69 17 more.com 2 9->17         started        21 nc.exe 9->21         started        41 C:\Users\user\Desktop\extract\Setup.exe, PE32 13->41 dropped 71 Drops large PE files 13->71 23 conhost.exe 13->23         started        25 wget.exe 2 15->25         started        28 conhost.exe 15->28         started        signatures6 process7 dnsIp8 37 C:\Users\user\AppData\Local\Temp\tmighmmaaf, PE32 17->37 dropped 47 Writes to foreign memory regions 17->47 49 Found hidden mapped module (file has been removed from disk) 17->49 51 Switches to a custom stack to bypass stack traces 17->51 53 LummaC encrypted strings found 17->53 30 OpenWith.exe 17->30         started        33 conhost.exe 17->33         started        45 zip-store.oss-ap-southeast-1.aliyuncs.com 47.79.48.189, 443, 49730 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 25->45 file9 signatures10 process11 signatures12 73 Switches to a custom stack to bypass stack traces 30->73 35 WerFault.exe 22 16 30->35         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
47.79.48.189
 zip-store.oss-ap-southeast-1.aliyuncs.com United States
9500 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ false

Contacted Domains

Name IP Active
zip-store.oss-ap-southeast-1.aliyuncs.com 47.79.48.189 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
servicedny.site true
    		unknown
    goalyfeastz.site true
      		unknown
      contemteny.site true
        		unknown
        https://zip-store.oss-ap-southeast-1.aliyuncs.com/sep.zip false
          		unknown
          opposezmny.site true
            		unknown
            authorisev.site true
              		unknown
              faulteyotk.site true
                		unknown
                seallysl.site true
                  		unknown
                  forbidstow.site true
                    		unknown
                    dilemmadu.site true
                      		unknown