Windows Analysis Report
mvSettings.ex#.exe

Overview

General Information

Sample name:	mvSettings.ex#.exe
Analysis ID:	1579335
MD5:	7ed567c4cca924bf8211f892b294c274
SHA1:	5da6b8fba3a72dde927d8e10e282df1b0b5dea55
SHA256:	0475fce6275c3c2b7d920bf219cf269899fb7be81ad17da1cd8fbf61a0303f05
Tags:	exeuser-500mk500
Infos:

Detection

MicroClip

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected MicroClip

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara detected Credential Stealer

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mvSettings.ex#.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: mvSettings.ex#.exe	Virustotal: Detection: 30%			Perma Link
Source: mvSettings.ex#.exe	ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: mvSettings.ex#.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: mvSettings.ex#.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: mvSettings.ex#.exe, 00000000.00000003.1868364089.0000000005785000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mvSettings.ex#.exe, 00000000.00000003.1868364089.0000000005785000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mvSettings.ex#.exe, 00000000.00000003.1868364089.0000000005785000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: mvSettings.ex#.exe, 00000000.00000003.1868364089.0000000005785000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mvSettings.ex#.exe, 00000000.00000003.1868364089.0000000005785000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cv.iptc.org/newscodes/digitalsourcetype/compositeWithTrainedAlgorithmicMedia
Source: mvSettings.ex#.exe, 00000000.00000003.1868364089.0000000005785000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: mvSettings.ex#.exe, 00000000.00000003.1868364089.0000000005785000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: mvSettings.ex#.exe, 00000000.00000003.1868364089.0000000005785000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pki-crl.symauth.com/ca_7a5c3a0c73117406add19312bc1bc23f/LatestCRL.crl07
Source: mvSettings.ex#.exe, 00000000.00000003.1868364089.0000000005785000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: mvSettings.ex#.exe, 00000000.00000002.4204035112.0000000005731000.00000004.00001000.00020000.00000000.sdmp, mvSettings.ex#.exe, 00000000.00000003.1865439365.0000000003580000.00000004.00001000.00020000.00000000.sdmp, mvSettings.ex#.exe, 00000000.00000002.4199871290.00000000009F1000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.indyproject.org/

System Summary

PE file contains section with special chars

Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

Process Stats: CPU usage > 49%

PE file contains more sections than normal

Source: mvSettings.ex#.exe

Static PE information: Number of sections : 19 > 10

Sample file is different than original file name gathered from version info

Source: mvSettings.ex#.exe, 00000000.00000002.4204035112.00000000056FD000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs mvSettings.ex#.exe

Uses 32bit PE files

Source: mvSettings.ex#.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: mvSettings.ex#.exe	Static PE information: Section: ZLIB complexity 0.9948508522727273
Source: mvSettings.ex#.exe	Static PE information: Section: ZLIB complexity 0.9934663318452381
Source: mvSettings.ex#.exe	Static PE information: Section: ZLIB complexity 0.9983177923387097
Source: mvSettings.ex#.exe	Static PE information: Section: ZLIB complexity 0.9978506229957242
Source: mvSettings.ex#.exe	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

File created: C:\Users\user\Desktop\error.log

Jump to behavior

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

Mutant created: \Sessions\1\BaseNamedObjects\fedd1d1122aa65028c81e16ceb85d9c73790a2fa

Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mvSettings.ex#.exe	Virustotal: Detection: 30%
Source: mvSettings.ex#.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Section loaded: iphlpapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: mvSettings.ex#.exe

Static file information: File size 16323088 > 1048576

Source: mvSettings.ex#.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x12e600
Source: mvSettings.ex#.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x372600
Source: mvSettings.ex#.exe	Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x9cba00

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name:
Source: mvSettings.ex#.exe	Static PE information: section name: .themida
Source: mvSettings.ex#.exe	Static PE information: section name: .boot

Source: mvSettings.ex#.exe

Static PE information: section name: entropy: 7.8974723923582095

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

Section loaded: OutputDebugStringW count: 1948

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

Thread delayed: delay time: 180000

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

Window / User API: threadDelayed 9000

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\mvSettings.ex#.exe TID: 7928	Thread sleep time: -51000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe TID: 7924	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe TID: 7924	Thread sleep time: -331000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe TID: 7924	Thread sleep time: -9000000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: mvSettings.ex#.exe, 00000000.00000003.1860741659.0000000003580000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__ 0
Source: mvSettings.ex#.exe, 00000000.00000002.4203864762.00000000035D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: mvSettings.ex#.exe, 00000000.00000002.4200201255.00000000014BC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: @Idassignednumbers@IdPORT_vmnet
Source: mvSettings.ex#.exe, 00000000.00000003.1859388036.0000000003580000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__ 0
Source: mvSettings.ex#.exe, 00000000.00000002.4200201255.00000000014BC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: @Idassignednumbers@IdPORT_vmnet$@Idassignednumbers@IdPORT_genrad_mux

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\mvSettings.ex#.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\mvSettings.ex#.exe	Process queried: DebugObjectHandle	Jump to behavior

Source: mvSettings.ex#.exe, 00000000.00000002.4203864762.00000000035D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerome=m]?
Source: mvSettings.ex#.exe, 00000000.00000002.4204035112.000000000574E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program manager chromelication5776468.zip
Source: mvSettings.ex#.exe, 00000000.00000003.1874662923.0000000005BBD000.00000004.00001000.00020000.00000000.sdmp, mvSettings.ex#.exe, 00000000.00000002.4200201255.00000000014BC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: @Winapi@Windows@DOF_PROGMAN
Source: mvSettings.ex#.exe, 00000000.00000002.4204035112.000000000579F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: mvSettings.ex#.exe, 00000000.00000002.4203864762.00000000035D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerI
Source: mvSettings.ex#.exe, 00000000.00000002.4203864762.00000000035D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerpbx~n
Source: mvSettings.ex#.exe, 00000000.00000002.4203864762.00000000035D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerotetaC
Source: mvSettings.ex#.exe, 00000000.00000002.4203864762.00000000035D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageromeom

Stealing of Sensitive Information

Yara detected MicroClip

Source: Yara match

File source: Process Memory Space: mvSettings.ex#.exe PID: 7636, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: mvSettings.ex#.exe, 00000000.00000002.4204035112.000000000574E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: /C:\Users\user\AppData\Roaming\Electrum\wallets
Source: mvSettings.ex#.exe, 00000000.00000003.1864922909.00000000056A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: 3com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb
Source: mvSettings.ex#.exe, 00000000.00000002.4204035112.000000000571A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: 3C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: mvSettings.ex#.exe, 00000000.00000002.4204035112.000000000571A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: 0C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: mvSettings.ex#.exe, 00000000.00000003.1864922909.00000000056A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pnl_exodush
Source: mvSettings.ex#.exe, 00000000.00000002.4204035112.00000000056F6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ethereum
Source: mvSettings.ex#.exe, 00000000.00000002.4204035112.0000000005738000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: 4C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsp
Source: mvSettings.ex#.exe, 00000000.00000003.1864922909.00000000056A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: mvSettings.ex#.exe PID: 7636, type: MEMORYSTR

Remote Access Functionality

Yara detected MicroClip

Source: Yara match

File source: Process Memory Space: mvSettings.ex#.exe PID: 7636, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1579335
Product:	CloudBasic
Start time:	18:59:09
Start date:	21.12.2024
Sample:	mvSettings.ex#.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7ed567c4cca924bf8211f892b294c274
SHA1:	5da6b8fba3a72dde927d8e10e282df1b0b5dea55
SHA256:	0475fce6275c3c2b7d920bf219cf269899fb7be81ad17da1cd8fbf61a0303f05
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Windows Analysis Report
mvSettings.ex#.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report mvSettings.ex#.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
mvSettings.ex#.exe