Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
malo.zip

Overview

General Information

Sample name:malo.zip
Analysis ID:1559387
MD5:64fc74457495cd5c7e59758845edb6f5
SHA1:2dbb710f729dae3c4f3380c95cbd5c6f1c9eddb4
SHA256:2fbd7b6a51a92c49809212abe6d6821d72ad45c62eb0d1c0b8634a36581125cb
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device

Classification

  • System is w10x64_ra
  • rundll32.exe (PID: 6272 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • notepad.exe (PID: 6352 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\malo\config.ini MD5: 27F71B12CB585541885A31BE22F61C83)
  • notepad.exe (PID: 6992 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\malo\config.ini MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Binary string: D:\project\LADM\Drivers\Trunk\AutoInstall\x64\Release\UDCC Launcher.pdb source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\Output\AutoInstall\Libs\UiLib_d_x64.pdbh source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\project\LADM\Drivers\Trunk\AutoInstall\x64\Release\UDCC Launcher.pdb< source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\Output\AutoInstall\Libs\UiLib_d_x64.pdb source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://ocsp.digicert.com0
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: UiLib_d_x64.dll, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FDE5000.00000004.00000020.00020000.00000000.sdmp, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FE1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.lenovo.com/
Source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FDA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.lenovo.com/O.k
Source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FDE5000.00000004.00000020.00020000.00000000.sdmp, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2414514549.000002F26D5B5000.00000004.00000020.00020000.00000000.sdmp, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2414514549.000002F26D4FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.lenovo.com/consumer/monitor/lenovo_accessories_and_display_manager_v1_0_3_24_setup.
Source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2414514549.000002F26D4FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.lenovo.com/consumer/options/ladmversion.txt
Source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2414514549.000002F26D4FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.lenovo.com/consumer/options/ladmversion.txtl
Source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FDE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.lenovo.com:443/consumer/monitor/lenovo_accessories_and_display_manager_v1_0_3_24_se
Source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FD89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.lenovo.com:443/consumer/options/ladmversion.txt
Source: lenovo_accessories_and_display_manager_v1_0_3_24_setup.exe.10.drString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: classification engineClassification label: clean3.winZIP@5/2@0/1
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeFile created: C:\Users\user\Desktop\malo\config.iniJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeMutant created: \Sessions\1\BaseNamedObjects\UDCCLauncher
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeFile read: C:\Users\user\Desktop\malo\config.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe "C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe"
Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\malo\config.ini
Source: unknownProcess created: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe "C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe"
Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\malo\config.ini
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: uilib_d_x64.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: uilib_d_x64.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeFile written: C:\Users\user\Desktop\malo\config.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: malo.zipStatic file information: File size 2731255 > 1048576
Source: Binary string: D:\project\LADM\Drivers\Trunk\AutoInstall\x64\Release\UDCC Launcher.pdb source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\Output\AutoInstall\Libs\UiLib_d_x64.pdbh source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\project\LADM\Drivers\Trunk\AutoInstall\x64\Release\UDCC Launcher.pdb< source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: Binary string: D:\Output\AutoInstall\Libs\UiLib_d_x64.pdb source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
Source: lenovo_accessories_and_display_manager_v1_0_3_24_setup.exe.10.drStatic PE information: section name: .didata
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeFile created: C:\LADM\lenovo_accessories_and_display_manager_v1_0_3_24_setup.exeJump to dropped file
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeDropped PE file which has not been started: C:\LADM\lenovo_accessories_and_display_manager_v1_0_3_24_setup.exeJump to dropped file
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe TID: 5492Thread sleep time: -30000s >= -30000sJump to behavior
Source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FDE5000.00000004.00000020.00020000.00000000.sdmp, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2414514549.000002F26D5A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FDA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\malo\config.ini VolumeInformationJump to behavior
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\malo\config.ini VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping1
Query Registry
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Rundll32
Security Account Manager1
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection
NTDS2
File and Directory Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets12
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1559387 Sample: malo.zip Startdate: 20/11/2024 Architecture: WINDOWS Score: 3 4 adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe 3 2->4         started        8 notepad.exe 2->8         started        10 notepad.exe 9 2->10         started        12 2 other processes 2->12 dnsIp3 16 23.212.88.224 AKAMAI-ASUS United States 4->16 14 lenovo_accessories...v1_0_3_24_setup.exe, PE32 4->14 dropped file4

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUlenovo_accessories_and_display_manager_v1_0_3_24_setup.exe.10.drfalse
    high
    https://download.lenovo.com/consumer/options/ladmversion.txtadcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2414514549.000002F26D4FC000.00000004.00000020.00020000.00000000.sdmpfalse
      high
      https://download.lenovo.com:443/consumer/options/ladmversion.txtadcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FD89000.00000004.00000020.00020000.00000000.sdmpfalse
        high
        https://download.lenovo.com/consumer/options/ladmversion.txtladcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2414514549.000002F26D4FC000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          https://download.lenovo.com/O.kadcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FDA3000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            https://download.lenovo.com/consumer/monitor/lenovo_accessories_and_display_manager_v1_0_3_24_setup.adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FDE5000.00000004.00000020.00020000.00000000.sdmp, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2414514549.000002F26D5B5000.00000004.00000020.00020000.00000000.sdmp, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2414514549.000002F26D4FC000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              https://download.lenovo.com/adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FDE5000.00000004.00000020.00020000.00000000.sdmp, adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FE1E000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://download.lenovo.com:443/consumer/monitor/lenovo_accessories_and_display_manager_v1_0_3_24_seadcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe, 0000000A.00000002.2416419789.000002F26FDE5000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  23.212.88.224
                  unknownUnited States
                  16625AKAMAI-ASUSfalse
                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1559387
                  Start date and time:2024-11-20 13:24:27 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 34s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:16
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:malo.zip
                  Detection:CLEAN
                  Classification:clean3.winZIP@5/2@0/1
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .zip
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Skipping network analysis since amount of network traffic is too extensive
                  • VT rate limit hit for: malo.zip
                  TimeTypeDescription
                  07:25:39API Interceptor1x Sleep call for process: adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe modified
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  23.212.88.224LADMAutoInstallService.exe.7zGet hashmaliciousUnknownBrowse
                    LADMAutoInstallService.exe.7zGet hashmaliciousUnknownBrowse
                      No context
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      AKAMAI-ASUSLADMAutoInstallService.exe.7zGet hashmaliciousUnknownBrowse
                      • 184.28.90.27
                      LADMAutoInstallService.exe.7zGet hashmaliciousUnknownBrowse
                      • 23.212.88.224
                      https://groupjlansen.com/?klkzhkfzGet hashmaliciousHTMLPhisherBrowse
                      • 23.38.98.103
                      meow.arm7.elfGet hashmaliciousUnknownBrowse
                      • 23.51.121.34
                      https://estudioit.cl/starl/#ZGVicmEuY2FydGVyQGNhc2EuZ292LmF1Get hashmaliciousUnknownBrowse
                      • 2.19.126.202
                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 23.57.90.171
                      QuarantineMessage.zipGet hashmaliciousUnknownBrowse
                      • 23.217.172.185
                      Benefit Enrollment -wZ5nusm.pdfGet hashmaliciousUnknownBrowse
                      • 23.203.104.175
                      Customer forms.pdfGet hashmaliciousUnknownBrowse
                      • 104.78.188.188
                      Benefit Enrollment -eGz8VNb.pdfGet hashmaliciousUnknownBrowse
                      • 23.203.104.175
                      No context
                      No context
                      Process:C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):116649984
                      Entropy (8bit):7.999546712387734
                      Encrypted:true
                      SSDEEP:3145728:W05K3+IRuWjszaTUto1e6DoCo/hZukHETgd4D9m:W05K3/DjsWoULo/tETgd89m
                      MD5:EAA15A4DABC776051E4BF8F26AD13E1E
                      SHA1:3040C8D8DA6C1CCF7C4AD752362F4E2A865BC3E3
                      SHA-256:6A374A3D39389C730E5D2173ADA7F4EDB03C3E0AB4D1EE93658FB44A20A74AFA
                      SHA-512:D44E21C8D093444135785ADAEDAA31DBB43D87658BAB0DD3351D1CB652DD30486247731F5D51A19701E268523A1B8184E73DCCE7113763C880A7E664C96A78EB
                      Malicious:false
                      Reputation:low
                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...WK.b.................p...........~............@..........................P......-.....@......@...................`.......@.......................=.. )...........................................................A.. ....P.......................text....V.......X.................. ..`.itext..l....p.......\.............. ..`.data....5.......6...t..............@....bss.....g...............................idata.......@......................@....didata......P......................@....edata.......`......................@..@.tls.........p...........................rdata..]...........................@..@.rsrc...............................@..@....................................@..@........................................................
                      Process:C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):21
                      Entropy (8bit):3.6897037321995474
                      Encrypted:false
                      SSDEEP:3:l4yJyn:lan
                      MD5:27E10D058A49788E9D663519AA74ABA0
                      SHA1:1C42BD51DBEF7E442466403CB2CF3317CD5711A6
                      SHA-256:56428E9B0C2AE1067AC4497EFBC670263BB4C22D82532F108B2D8FFA5B096B6F
                      SHA-512:2A28D4A50D89338A79C53AE37DB06B0F1CFC7A43552E7950916DD9213922F5D7C263510EBD4F86741E8D62591AD678B4F4893D731C6D2C714A7307447AA16357
                      Malicious:false
                      Reputation:low
                      Preview:[Settings]..times=1..
                      File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                      Entropy (8bit):7.996505283606878
                      TrID:
                      • ZIP compressed archive (8000/1) 100.00%
                      File name:malo.zip
                      File size:2'731'255 bytes
                      MD5:64fc74457495cd5c7e59758845edb6f5
                      SHA1:2dbb710f729dae3c4f3380c95cbd5c6f1c9eddb4
                      SHA256:2fbd7b6a51a92c49809212abe6d6821d72ad45c62eb0d1c0b8634a36581125cb
                      SHA512:6c1a564bfbc569294c10942d594476dbf6155abc2ce621c6aeecfedf4b56f97424b2e707468d95df4c72d8a36dc3074049f728a8f5e60a2bde2d3a1cf0a33b96
                      SSDEEP:49152:ArRN3iKAz66lbsHOZKTIcUuWx3UY27BQRZp5TFKavVK0iBRfaUHzM+:kRN3Iz6CbkILbuWFz2l+ZpNFKahiBRSO
                      TLSH:4FC533460EB1034E9D24A67B4D4F0072E99DB481FFBAD57D8A348F7E63B0048526D6AF
                      File Content Preview:PK.........QtY...?....@.?.D...adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe...tTE...&@H..Q..%.YE6.jP..Ew....jT.(...(.FE.%h.C4(h.U..x.(..9.......wT..............$.o...6O................j.c............q........]......s..?fX..........k
                      Icon Hash:1c1c1e4e4ececedc
                      Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                      Click to jump to process

                      Click to jump to process

                      Click to dive into process behavior distribution

                      Click to jump to process

                      Target ID:0
                      Start time:07:24:54
                      Start date:20/11/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      Imagebase:0x7ff701980000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:10
                      Start time:07:25:10
                      Start date:20/11/2024
                      Path:C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe"
                      Imagebase:0x7ff7a2b60000
                      File size:4'176'448 bytes
                      MD5 hash:AA952CE873E81D0C4EC8BE91CB661D3A
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:false

                      Target ID:11
                      Start time:07:25:12
                      Start date:20/11/2024
                      Path:C:\Windows\System32\notepad.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\malo\config.ini
                      Imagebase:0x7ff7cda80000
                      File size:201'216 bytes
                      MD5 hash:27F71B12CB585541885A31BE22F61C83
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      Target ID:12
                      Start time:07:25:17
                      Start date:20/11/2024
                      Path:C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\Desktop\malo\adcd66e515fc2c48df7cd211dd9bed8f0118c4ec6e82da8034dcfc6e3915e3f9.exe"
                      Imagebase:0x7ff7a2b60000
                      File size:4'176'448 bytes
                      MD5 hash:AA952CE873E81D0C4EC8BE91CB661D3A
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      Target ID:15
                      Start time:07:26:10
                      Start date:20/11/2024
                      Path:C:\Windows\System32\notepad.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\malo\config.ini
                      Imagebase:0x7ff7cda80000
                      File size:201'216 bytes
                      MD5 hash:27F71B12CB585541885A31BE22F61C83
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:true

                      No disassembly