Windows Analysis Report
BWuMwnE7tw.exe

Overview

General Information

Sample name: BWuMwnE7tw.exe
renamed because original name is a hash value
Original sample name: bc9e4510fe172f8155d02b28ab79da83.exe
Analysis ID: 1559092
MD5: bc9e4510fe172f8155d02b28ab79da83
SHA1: 317b2bdf893072d9d5d1484d89ab590ec810b6c4
SHA256: 1dd4a56cf8d794eaf33526b673750be20b5d052645a4abfc13fd92781b878d8f
Tags: exeuser-abuse_ch
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

AV Detection

barindex
Source: BWuMwnE7tw.exe Avira: detected
Source: BWuMwnE7tw.exe Virustotal: Detection: 22% Perma Link
Source: BWuMwnE7tw.exe ReversingLabs: Detection: 21%
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Source: BWuMwnE7tw.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Code function: 0_2_100059A0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 0_2_100059A0
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Jump to behavior

Networking

barindex
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 -w 1000 127.0.0.1
Source: global traffic HTTP traffic detected: GET /chromeum.bat HTTP/1.0User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko) Accept: */*Host: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: unknown TCP traffic detected without corresponding DNS query: 82.115.223.189
Source: global traffic HTTP traffic detected: GET /chromeum.bat HTTP/1.0User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko) Accept: */*Host: 82.115.223.189
Source: BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111136503.000000000259F000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110378123.00000000021CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.115.223.189/chromeum.bat
Source: BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111136503.000000000259F000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110378123.00000000021CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.115.223.189/chromeum.bat#tempinstpath#chromeum.bat0
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://s.symcd.com06
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://subca.ocsp-certum.com01
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://www.certum.pl/CPS0
Source: BWuMwnE7tw.exe, 00000000.00000002.2112068924.000000001000E000.00000002.00000001.01000000.00000004.sdmp, genteert.dll.0.dr String found in binary or memory: http://www.gentee.comB
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: http://www.openssl.org/f
Source: libeay32.dll.0.dr String found in binary or memory: http://www.openssl.org/support/faq.html
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp, BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp, ssleay32.dll.0.dr, libeay32.dll.0.dr String found in binary or memory: https://www.certum.pl/CPS0
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Code function: 0_2_10001E10 0_2_10001E10
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Code function: 0_2_10008300 0_2_10008300
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Code function: 0_2_10007770 0_2_10007770
Source: BWuMwnE7tw.exe, 00000000.00000002.2111599935.0000000002B64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamessleay32.dllH vs BWuMwnE7tw.exe
Source: BWuMwnE7tw.exe, 00000000.00000002.2112068924.000000001000E000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenamegentee.dll vs BWuMwnE7tw.exe
Source: BWuMwnE7tw.exe, 00000000.00000002.2111471538.0000000002874000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibeay32.dllH vs BWuMwnE7tw.exe
Source: BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibeay32.dllH vs BWuMwnE7tw.exe
Source: BWuMwnE7tw.exe, 00000000.00000002.2111212039.0000000002689000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamessleay32.dllH vs BWuMwnE7tw.exe
Source: BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibeay32.dllH vs BWuMwnE7tw.exe
Source: BWuMwnE7tw.exe, 00000000.00000002.2110976596.0000000002380000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamessleay32.dllH vs BWuMwnE7tw.exe
Source: BWuMwnE7tw.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: BWuMwnE7tw.exe Static PE information: Section: .gentee ZLIB complexity 0.9985147215721366
Source: classification engine Classification label: mal68.troj.evad.winEXE@10/8@0/2
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File created: C:\Program Files (x86)\59470120112024199253140 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Mutant created: \Sessions\1\BaseNamedObjects\ci199253140
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File created: C:\Users\user\AppData\Local\Temp\genteert.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\gentee72\chromeum.bat""
Source: BWuMwnE7tw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BWuMwnE7tw.exe Virustotal: Detection: 22%
Source: BWuMwnE7tw.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File read: C:\Users\user\Desktop\BWuMwnE7tw.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BWuMwnE7tw.exe "C:\Users\user\Desktop\BWuMwnE7tw.exe"
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\gentee72\chromeum.bat""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c deldll.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 -w 1000 127.0.0.1
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\gentee72\chromeum.bat"" Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c deldll.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 -w 1000 127.0.0.1 Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: BWuMwnE7tw.exe Static PE information: section name: .gentee
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File created: C:\Users\user\AppData\Local\Temp\gentee72\libeay32.dll Jump to dropped file
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File created: C:\Users\user\AppData\Local\Temp\gentee72\guig.dll Jump to dropped file
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File created: C:\Users\user\AppData\Local\Temp\gentee72\ssleay32.dll Jump to dropped file
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File created: C:\Users\user\AppData\Local\Temp\genteert.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 -w 1000 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 -w 1000 127.0.0.1 Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gentee72\libeay32.dll Jump to dropped file
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gentee72\guig.dll Jump to dropped file
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gentee72\ssleay32.dll Jump to dropped file
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\genteert.dll Jump to dropped file
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Code function: 0_2_100059A0 FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 0_2_100059A0
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Jump to behavior
Source: BWuMwnE7tw.exe, 00000000.00000003.2089161320.000000000086A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&kM
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\gentee72\chromeum.bat"" Jump to behavior
Source: C:\Users\user\Desktop\BWuMwnE7tw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c deldll.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 2 -w 1000 127.0.0.1 Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs