Windows Analysis Report
demon.exe

Overview

General Information

Sample name: demon.exe
Analysis ID: 1545840
MD5: c8cbad944550f18e550725f69edf5553
SHA1: a4fedf75a7d1493ac25dac8a9ad47fcf5926def8
SHA256: c8c8d9baffd6ebfe015490f08ff6c93793c31706f4cf5dc868ad560fbbdff24f
Tags: exeuser-lontze7
Infos:

Detection

Havoc
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Havoc
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Detected potential crypto function
PE file does not import any functions
Program does not show much activity (idle)

Classification

Name Description Attribution Blogpost URLs Link
Havoc First released in October 2022, the Havoc C2 Framework is a flexible post-exploitation framework written in Golang, C++, and Qt, with agents called 'Demons' written in C and ASM, created by @C5pider. Designed to support red team engagements and adversary emulation, it offers a robust set of capabilities tailored for offensive security operations. The framework, which is under active development, utilizes HTTP(s) and SMB as communication protocols for its implants. Havoc can generate implants, known as Demons, in several formats including EXE, DLL, and Shellcode. A notable feature of Havoc is its ability to bypass EDR by employing advanced evasion techniques such as sleep obfuscation, return address stack spoofing, and indirect syscalls. This capability enhances its effectiveness in evading detection and circumventing security measures. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: demon.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: demon.exe ReversingLabs: Detection: 68%
Source: demon.exe Virustotal: Detection: 57% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for sample
Source: demon.exe Joe Sandbox ML: detected
Source: demon.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp, demon.exe, 00000000.00000002.3299898707.0000019756F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://87.120.113.125/
Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://87.120.113.125/%
Source: demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://87.120.113.125/2
Source: demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://87.120.113.125/F
Source: demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://87.120.113.125/H
Source: demon.exe, 00000000.00000002.3299898707.0000019756F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://87.120.113.125/Pw
Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://87.120.113.125/Q
Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://87.120.113.125/g
Source: demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://87.120.113.125:443/
Source: demon.exe, 00000000.00000002.3299898707.0000019756F8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://87.120.113.125:443/X
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Contains functionality to call native functions
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E94E80 NtAddBootEntry, 0_2_00007FF7C5E94E80
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E94FE0 NtAddBootEntry, 0_2_00007FF7C5E94FE0
Detected potential crypto function
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E8C6D0 0_2_00007FF7C5E8C6D0
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E88D50 0_2_00007FF7C5E88D50
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E8AAF0 0_2_00007FF7C5E8AAF0
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E93EC0 0_2_00007FF7C5E93EC0
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E8C0A0 0_2_00007FF7C5E8C0A0
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E96E70 0_2_00007FF7C5E96E70
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E8666F 0_2_00007FF7C5E8666F
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E95E40 0_2_00007FF7C5E95E40
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E97C00 0_2_00007FF7C5E97C00
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E811E0 0_2_00007FF7C5E811E0
PE file does not import any functions
Source: demon.exe Static PE information: No import functions for PE file found
Source: classification engine Classification label: mal84.troj.evad.winEXE@1/0@0/1
Source: demon.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\demon.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: demon.exe ReversingLabs: Detection: 68%
Source: demon.exe Virustotal: Detection: 57%
Source: C:\Users\user\Desktop\demon.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Section loaded: schannel.dll Jump to behavior
Source: demon.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: demon.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH
Contains functionality to query network adapater information
Source: C:\Users\user\Desktop\demon.exe Code function: GetComputerNameExA,GetUserNameA,GetComputerNameExA,GetComputerNameExA,GetAdaptersInfo,GetAdaptersInfo, 0_2_00007FF7C5E88D50
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: demon.exe, 00000000.00000002.3299898707.0000019756F3B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW<
Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: demon.exe, 00000000.00000002.3299898707.0000019756F9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWjZ
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E8E4A0 LdrGetProcedureAddress, 0_2_00007FF7C5E8E4A0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\demon.exe NtQueryInformationProcess: Indirect: 0x7FF7C5E94F0F Jump to behavior
Source: C:\Users\user\Desktop\demon.exe Code function: 0_2_00007FF7C5E88D50 GetComputerNameExA,GetUserNameA,GetComputerNameExA,GetComputerNameExA,GetAdaptersInfo,GetAdaptersInfo, 0_2_00007FF7C5E88D50

Stealing of Sensitive Information
barindex
Yara detected Havoc
Source: Yara match File source: demon.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Havoc
Source: Yara match File source: demon.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545840 Sample: demon.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 84 11 Antivirus / Scanner detection for submitted sample 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected Havoc 2->15 17 2 other signatures 2->17 5 demon.exe 2->5         started        process3 dnsIp4 9 87.120.113.125, 443, 49704, 49705 UNACS-AS-BG8000BurgasBG Bulgaria 5->9 19 Found direct / indirect Syscall (likely to bypass EDR) 5->19 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.120.113.125
 unknown Bulgaria
25206 UNACS-AS-BG8000BurgasBG false