Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1571903
MD5:	9a2cc9d6c6282e7b2a0ff5649a70b0df
SHA1:	99c7c3969c9ab39261b59f047514ff7de2bc4c07
SHA256:	b08f2b65885b9ae1825d27ddf6dc9189641e0f8817999f4386da55ffcc548287
Tags:	exeLummaStealeruser-Bitsight
Infos:

Detection

LummaC Stealer

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://drive-connect.cyou/apin	Avira URL Cloud: Label: malware
Source: drive-connect.cyou	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/c	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/apis&&4	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1657324741.000000000273F000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["impend-differ.biz", "zinc-sneark.biz", "drive-connect.cyou", "covery-mover.biz", "formy-spill.biz", "dare-curbys.biz", "se-blurry.biz", "dwell-exclaim.biz", "print-vexer.biz"], "Build id": "FATE99--test"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.2% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drive-connect.cyou
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: FATE99--test

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.79.7:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_004F0919
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0868 FindFirstFileExW,	2_2_004F0868
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_004F0919

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+05h]	3_2_0040A960
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	3_2_00409CC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edx], bl	3_2_0040CE55
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042A060
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	3_2_0041D074
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	3_2_0041D087
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042D085
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042D085
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+79314A46h]	3_2_00426170
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_0041597D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, eax	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, eax	3_2_00405910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	3_2_00405910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	3_2_00425920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004286F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_00417190
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	3_2_00422270
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi+ebx], 00000000h	3_2_0040C274
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [00444284h]	3_2_00425230
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CAC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+1Ch]	3_2_004292D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ebx	3_2_004292D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	3_2_0042AAD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00415ADC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push eax	3_2_0040C36E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, bx	3_2_0042536C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi]	3_2_00402B70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_00427307
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebp, word ptr [ecx+ebx*2]	3_2_00436B20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_0043DBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CBD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_00407470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_00407470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	3_2_0042B475
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	3_2_00419C10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 29DF508Eh	3_2_0043DCF0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042B4BB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CD60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_004345F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+2Ch]	3_2_00427653
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CE00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042A630
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+36A27D27h]	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-41h]	3_2_004296D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-000000BCh]	3_2_00415EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00421EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp al, 2Eh	3_2_004266E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004286F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00417E82
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 299A4ECDh	3_2_0043E690
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, eax	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edx+02h], 0000h	3_2_0041CEA5
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebx, 03h	3_2_00428F5D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ecx+edx*8], B430E561h	3_2_00414F08
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, edx	3_2_00414F08
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00420717
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_00420717
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]	3_2_0042BFD3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]	3_2_0042BFDA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2298EE00h	3_2_0043DFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.79.7:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.79.7:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: zinc-sneark.biz
Source: Malware configuration extractor	URLs: drive-connect.cyou
Source: Malware configuration extractor	URLs: covery-mover.biz
Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: se-blurry.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: print-vexer.biz

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.79.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.79.7:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drive-connect.cyou

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: drive-connect.cyou

Source: unknown

Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697081822.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/api
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apin
Source: file.exe, 00000003.00000002.1697763562.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697081822.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apis&&4
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/c

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.21.79.7:443 -> 192.168.2.4:49730 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00431A30

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00431A30

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00431BB0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00431BB0

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1B70	0_2_004D1B70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1000	0_2_004D1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E8900	0_2_004E8900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E2101	0_2_004E2101
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F6362	0_2_004F6362
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D4C00	0_2_004D4C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD4DB	0_2_004DD4DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D6D70	0_2_004D6D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E3500	0_2_004E3500
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F458A	0_2_004F458A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D3E60	0_2_004D3E60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D1000	2_2_004D1000
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E8900	2_2_004E8900
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E2101	2_2_004E2101
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D7AF0	2_2_004D7AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F6362	2_2_004F6362
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D1B70	2_2_004D1B70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D4C00	2_2_004D4C00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD4DB	2_2_004DD4DB
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D6D70	2_2_004D6D70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E3500	2_2_004E3500
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F458A	2_2_004F458A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D3E60	2_2_004D3E60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040A960	3_2_0040A960
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004087F0	3_2_004087F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436F90	3_2_00436F90
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425F7D	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00409070	3_2_00409070
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043A030	3_2_0043A030
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004038C0	3_2_004038C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004380D9	3_2_004380D9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041D8E0	3_2_0041D8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042D085	3_2_0042D085
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004280B0	3_2_004280B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00426170	3_2_00426170
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042297F	3_2_0042297F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042A100	3_2_0042A100
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00437900	3_2_00437900
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416E97	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00405910	3_2_00405910
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425920	3_2_00425920
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004301D0	3_2_004301D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004081F0	3_2_004081F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00408990	3_2_00408990
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00417190	3_2_00417190
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00414A40	3_2_00414A40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041BA48	3_2_0041BA48
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040CA54	3_2_0040CA54
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00404270	3_2_00404270
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00422270	3_2_00422270
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00406200	3_2_00406200
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00423A00	3_2_00423A00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CAC0	3_2_0043CAC0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043E2C0	3_2_0043E2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004292D0	3_2_004292D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00415ADC	3_2_00415ADC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042BA8D	3_2_0042BA8D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040E2A9	3_2_0040E2A9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004192BA	3_2_004192BA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040B351	3_2_0040B351
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041CB5A	3_2_0041CB5A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00409360	3_2_00409360
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041C360	3_2_0041C360
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416B7E	3_2_00416B7E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00411B1B	3_2_00411B1B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043533A	3_2_0043533A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CBD6	3_2_0043CBD6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043A3F0	3_2_0043A3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00439B90	3_2_00439B90
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00404BA0	3_2_00404BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004233A0	3_2_004233A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436C40	3_2_00436C40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040D44C	3_2_0040D44C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00434C4D	3_2_00434C4D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00407470	3_2_00407470
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00419C10	3_2_00419C10
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00418C1E	3_2_00418C1E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041D420	3_2_0041D420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041DC20	3_2_0041DC20
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436430	3_2_00436430
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CCE0	3_2_0043CCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043DCF0	3_2_0043DCF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00422CF8	3_2_00422CF8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00427C9D	3_2_00427C9D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CD60	3_2_0043CD60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416571	3_2_00416571
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00423D30	3_2_00423D30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004215F0	3_2_004215F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041DE40	3_2_0041DE40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00412670	3_2_00412670
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425670	3_2_00425670
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041AE00	3_2_0041AE00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CE00	3_2_0043CE00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00423E30	3_2_00423E30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004156D0	3_2_004156D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042C6D7	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00415EE0	3_2_00415EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004266E7	3_2_004266E7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00406690	3_2_00406690
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043E690	3_2_0043E690
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436690	3_2_00436690
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416E97	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00402EA0	3_2_00402EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004376B0	3_2_004376B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00426EBE	3_2_00426EBE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00428F5D	3_2_00428F5D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042B763	3_2_0042B763
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425F7D	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00414F08	3_2_00414F08
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00420717	3_2_00420717
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00418731	3_2_00418731
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041EF30	3_2_0041EF30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042BFD3	3_2_0042BFD3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00410FD6	3_2_00410FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042BFDA	3_2_0042BFDA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004167A5	3_2_004167A5
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00418FAD	3_2_00418FAD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004097B0	3_2_004097B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043DFB0	3_2_0043DFB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00414A30 appears 76 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004EB97D appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00408000 appears 52 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004DD9E0 appears 102 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004E6C0B appears 42 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388
Source: file.exe	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388

Source: classification engine

Classification label: mal96.troj.evad.winEXE@6/0@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00436F90 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_00436F90

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DDB9A push ecx; ret	0_2_004DDBAD
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DDB9A push ecx; ret	2_2_004DDBAD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00446061 push edx; retf	3_2_00446062
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CA60 push eax; mov dword ptr [esp], 11102FFEh	3_2_0043CA63
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00445A2E push esi; ret	3_2_00445A31
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00442543 push esp; retf	3_2_00442549
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00439F70 push eax; mov dword ptr [esp], 60616263h	3_2_00439F7F

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7624	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7620	Thread sleep time: -30000s >= -30000s			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_004F0919
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0868 FindFirstFileExW,	2_2_004F0868
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_004F0919

Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697081822.00000000016BC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_0043B480 LdrInitializeThunk,

3_2_0043B480

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004DD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004DD86F

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005061A9 mov edi, dword ptr fs:[00000030h]	0_2_005061A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1B70 mov edi, dword ptr fs:[00000030h]	0_2_004D1B70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D1B70 mov edi, dword ptr fs:[00000030h]	2_2_004D1B70

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004EC275 GetProcessHeap,

0_2_004EC275

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004DD86F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD863 SetUnhandledExceptionFilter,	0_2_004DD863
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E695D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004E695D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD4B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004DD4B3
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004DD86F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD863 SetUnhandledExceptionFilter,	2_2_004DD863
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E695D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004E695D
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD4B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_004DD4B3

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005061A9 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_005061A9

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"			Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004F0170
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004F0111
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004F0245
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004F0290
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004EBB60
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004F0337
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004EFBD2
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004F043D
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004EB5BC
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004EFE23
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_004EFEBE
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004F0170
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004F0111
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004F0245
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004F0290
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004EBB60
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004F0337
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_004EFBD2
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004F043D
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004EB5BC
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004EFE23
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_004EFEBE

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004DE170 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_004DE170

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.79.7	drive-connect.cyou	United States		13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
drive-connect.cyou	104.21.79.7	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
dare-curbys.biz	false		high
impend-differ.biz	false		high
zinc-sneark.biz	false		high
covery-mover.biz	false		high
formy-spill.biz	false		high
se-blurry.biz	false		high
https://drive-connect.cyou/api	true	Avira URL Cloud: malware	unknown
print-vexer.biz	false		high
dwell-exclaim.biz	false		high
drive-connect.cyou	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://drive-connect.cyou/apin	Avira URL Cloud: Label: malware
Source: drive-connect.cyou	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/c	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/apis&&4	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1657324741.000000000273F000.00000004.00000020.00020000.00000000.sdmp

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.2% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drive-connect.cyou
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1697397120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: FATE99--test

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.79.7:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_004F0919
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0868 FindFirstFileExW,	2_2_004F0868
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_004F0919

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+05h]	3_2_0040A960
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	3_2_00409CC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edx], bl	3_2_0040CE55
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042A060
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	3_2_0041D074
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	3_2_0041D087
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042D085
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0042D085
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+79314A46h]	3_2_00426170
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_0041597D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, eax	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, eax	3_2_00405910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	3_2_00405910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	3_2_00425920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004286F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_00417190
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	3_2_00422270
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi+ebx], 00000000h	3_2_0040C274
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [00444284h]	3_2_00425230
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CAC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+1Ch]	3_2_004292D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ebx	3_2_004292D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	3_2_0042AAD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [eax], cl	3_2_00415ADC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push eax	3_2_0040C36E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, bx	3_2_0042536C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi]	3_2_00402B70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_00427307
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebp, word ptr [ecx+ebx*2]	3_2_00436B20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_0043DBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CBD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_00407470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_00407470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	3_2_0042B475
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	3_2_00419C10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 29DF508Eh	3_2_0043DCF0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042B4BB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CD60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_004345F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+2Ch]	3_2_00427653
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	3_2_0043CE00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042A630
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+36A27D27h]	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h]	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-41h]	3_2_004296D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx-000000BCh]	3_2_00415EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00421EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp al, 2Eh	3_2_004266E7
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_004286F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	3_2_00417E82
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 299A4ECDh	3_2_0043E690
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh]	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, eax	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edx+02h], 0000h	3_2_0041CEA5
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebx, 03h	3_2_00428F5D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh]	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ecx+edx*8], B430E561h	3_2_00414F08
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, edx	3_2_00414F08
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00420717
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ecx], dx	3_2_00420717
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]	3_2_0042BFD3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah]	3_2_0042BFDA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2298EE00h	3_2_0043DFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.79.7:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.79.7:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: zinc-sneark.biz
Source: Malware configuration extractor	URLs: drive-connect.cyou
Source: Malware configuration extractor	URLs: covery-mover.biz
Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: se-blurry.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: print-vexer.biz

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.79.7:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.79.7:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: drive-connect.cyou

Source: unknown

Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697081822.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/api
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apin
Source: file.exe, 00000003.00000002.1697763562.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697081822.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apis&&4
Source: file.exe, 00000003.00000003.1697081822.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1697763562.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000003.1697297764.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/c

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.21.79.7:443 -> 192.168.2.4:49730 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00431A30

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00431A30 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

3_2_00431A30

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_00431BB0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00431BB0

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1B70	0_2_004D1B70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1000	0_2_004D1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E8900	0_2_004E8900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E2101	0_2_004E2101
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F6362	0_2_004F6362
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D4C00	0_2_004D4C00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD4DB	0_2_004DD4DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D6D70	0_2_004D6D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E3500	0_2_004E3500
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F458A	0_2_004F458A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D3E60	0_2_004D3E60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D1000	2_2_004D1000
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E8900	2_2_004E8900
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E2101	2_2_004E2101
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D7AF0	2_2_004D7AF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F6362	2_2_004F6362
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D1B70	2_2_004D1B70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D4C00	2_2_004D4C00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD4DB	2_2_004DD4DB
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D6D70	2_2_004D6D70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E3500	2_2_004E3500
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F458A	2_2_004F458A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D3E60	2_2_004D3E60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040A960	3_2_0040A960
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004087F0	3_2_004087F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436F90	3_2_00436F90
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425F7D	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00409070	3_2_00409070
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043A030	3_2_0043A030
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004038C0	3_2_004038C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004380D9	3_2_004380D9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041D8E0	3_2_0041D8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042D085	3_2_0042D085
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004280B0	3_2_004280B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00426170	3_2_00426170
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042297F	3_2_0042297F
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042A100	3_2_0042A100
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00437900	3_2_00437900
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416E97	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00405910	3_2_00405910
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425920	3_2_00425920
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004301D0	3_2_004301D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004081F0	3_2_004081F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00408990	3_2_00408990
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00417190	3_2_00417190
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00414A40	3_2_00414A40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041BA48	3_2_0041BA48
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040CA54	3_2_0040CA54
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00404270	3_2_00404270
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00422270	3_2_00422270
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00406200	3_2_00406200
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00423A00	3_2_00423A00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CAC0	3_2_0043CAC0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043E2C0	3_2_0043E2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004292D0	3_2_004292D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00415ADC	3_2_00415ADC
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042BA8D	3_2_0042BA8D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040E2A9	3_2_0040E2A9
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004192BA	3_2_004192BA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040B351	3_2_0040B351
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041CB5A	3_2_0041CB5A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00409360	3_2_00409360
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041C360	3_2_0041C360
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416B7E	3_2_00416B7E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00411B1B	3_2_00411B1B
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043533A	3_2_0043533A
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CBD6	3_2_0043CBD6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043A3F0	3_2_0043A3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00439B90	3_2_00439B90
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00404BA0	3_2_00404BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004233A0	3_2_004233A0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436C40	3_2_00436C40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0040D44C	3_2_0040D44C
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00434C4D	3_2_00434C4D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00407470	3_2_00407470
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00419C10	3_2_00419C10
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00418C1E	3_2_00418C1E
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041D420	3_2_0041D420
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041DC20	3_2_0041DC20
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436430	3_2_00436430
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CCE0	3_2_0043CCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043DCF0	3_2_0043DCF0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00422CF8	3_2_00422CF8
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00427C9D	3_2_00427C9D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CD60	3_2_0043CD60
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416571	3_2_00416571
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00423D30	3_2_00423D30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004215F0	3_2_004215F0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041DE40	3_2_0041DE40
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00412670	3_2_00412670
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425670	3_2_00425670
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041AE00	3_2_0041AE00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CE00	3_2_0043CE00
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00423E30	3_2_00423E30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004156D0	3_2_004156D0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042C6D7	3_2_0042C6D7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00415EE0	3_2_00415EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004266E7	3_2_004266E7
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00406690	3_2_00406690
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043E690	3_2_0043E690
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00436690	3_2_00436690
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00416E97	3_2_00416E97
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00402EA0	3_2_00402EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004376B0	3_2_004376B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00426EBE	3_2_00426EBE
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00428F5D	3_2_00428F5D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042B763	3_2_0042B763
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00425F7D	3_2_00425F7D
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00414F08	3_2_00414F08
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00420717	3_2_00420717
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00418731	3_2_00418731
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0041EF30	3_2_0041EF30
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042BFD3	3_2_0042BFD3
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00410FD6	3_2_00410FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0042BFDA	3_2_0042BFDA
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004167A5	3_2_004167A5
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00418FAD	3_2_00418FAD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_004097B0	3_2_004097B0
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043DFB0	3_2_0043DFB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00414A30 appears 76 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004EB97D appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00408000 appears 52 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004DD9E0 appears 102 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004E6C0B appears 42 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388
Source: file.exe	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388

Source: classification engine

Classification label: mal96.troj.evad.winEXE@6/0@1/1

Source: C:\Users\user\Desktop\file.exe

3_2_00436F90

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DDB9A push ecx; ret	0_2_004DDBAD
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DDB9A push ecx; ret	2_2_004DDBAD
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00446061 push edx; retf	3_2_00446062
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_0043CA60 push eax; mov dword ptr [esp], 11102FFEh	3_2_0043CA63
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00445A2E push esi; ret	3_2_00445A31
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00442543 push esp; retf	3_2_00442549
Source: C:\Users\user\Desktop\file.exe	Code function: 3_2_00439F70 push eax; mov dword ptr [esp], 60616263h	3_2_00439F7F

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7624	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7620	Thread sleep time: -30000s >= -30000s			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_004F0919
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0868 FindFirstFileExW,	2_2_004F0868
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004F0919 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_004F0919

Binary or memory string: Hyper-V RAW

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 3_2_0043B480 LdrInitializeThunk,

3_2_0043B480

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004DD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004DD86F

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005061A9 mov edi, dword ptr fs:[00000030h]	0_2_005061A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1B70 mov edi, dword ptr fs:[00000030h]	0_2_004D1B70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004D1B70 mov edi, dword ptr fs:[00000030h]	2_2_004D1B70

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004EC275 GetProcessHeap,

0_2_004EC275

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004DD86F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD863 SetUnhandledExceptionFilter,	0_2_004DD863
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E695D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004E695D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DD4B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004DD4B3
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD86F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004DD86F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD863 SetUnhandledExceptionFilter,	2_2_004DD863
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004E695D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004E695D
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004DD4B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_004DD4B3

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

0_2_005061A9

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"			Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004F0170
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004F0111
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004F0245
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004F0290
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004EBB60
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004F0337
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004EFBD2
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004F043D
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004EB5BC
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004EFE23
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_004EFEBE
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004F0170
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004F0111
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004F0245
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004F0290
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004EBB60
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_004F0337
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_004EFBD2
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004F043D
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_004EB5BC
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_004EFE23
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_004EFEBE

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004DE170 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_004DE170

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

ID:	1571903
Product:	CloudBasic
Start time:	20:40:07
Start date:	09.12.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9a2cc9d6c6282e7b2a0ff5649a70b0df
SHA1:	99c7c3969c9ab39261b59f047514ff7de2bc4c07
SHA256:	b08f2b65885b9ae1825d27ddf6dc9189641e0f8817999f4386da55ffcc548287
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe