Windows Analysis Report
Update-KB6125-x86.exe

Overview

General Information

Sample name: Update-KB6125-x86.exe
Analysis ID: 1579446
MD5: d8cbdb14f06554b20694184c4738cc30
SHA1: 2b0d31ff5e50d57af9190e6e24795fee47014a38
SHA256: 765039963bf7c037a21bda34ee18f31d1cc3cf27547dd8daaa6f213de85a58ca
Tags: exeuser-TeamDreier
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Detected PE file pumping (to bypass AV & sandboxing)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: Update-KB6125-x86.exe Avira: detected
Source: C:\Windows\tserv.exe Avira: detection malicious, Label: WORM/Stration.C
Source: C:\Windows\tserv.exe ReversingLabs: Detection: 94%
Source: Update-KB6125-x86.exe Virustotal: Detection: 84% Perma Link
Source: Update-KB6125-x86.exe ReversingLabs: Detection: 94%
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.0% probability
Source: C:\Windows\tserv.exe Joe Sandbox ML: detected
Source: Update-KB6125-x86.exe Joe Sandbox ML: detected
Source: Update-KB6125-x86.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose, 0_2_00406360
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: Joe Sandbox View IP Address: 193.166.255.171 193.166.255.171
Source: Joe Sandbox View IP Address: 67.195.204.72 67.195.204.72
Source: Joe Sandbox View IP Address: 67.195.228.110 67.195.228.110
Source: Network traffic Suricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.4:49730 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49730 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49730 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49740 -> 193.166.255.171:80
Source: global traffic TCP traffic: 192.168.2.4:49732 -> 67.195.204.72:25
Source: global traffic TCP traffic: 192.168.2.4:49738 -> 67.195.204.73:25
Source: global traffic TCP traffic: 192.168.2.4:49743 -> 67.195.228.110:25
Source: global traffic TCP traffic: 192.168.2.4:49848 -> 142.250.141.26:25
Source: global traffic TCP traffic: 192.168.2.4:49896 -> 142.250.157.26:25
Source: global traffic TCP traffic: 192.168.2.4:49945 -> 209.85.233.26:25
Source: global traffic TCP traffic: 192.168.2.4:49996 -> 173.194.202.27:25
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic DNS traffic detected: DNS query: yahoo.com
Source: global traffic DNS traffic detected: DNS query: mta6.am0.yahoodns.net
Source: global traffic DNS traffic detected: DNS query: www4.cedesunjerinkas.com
Source: global traffic DNS traffic detected: DNS query: mta7.am0.yahoodns.net
Source: global traffic DNS traffic detected: DNS query: mta5.am0.yahoodns.net
Source: global traffic DNS traffic detected: DNS query: gmail.com
Source: global traffic DNS traffic detected: DNS query: alt1.gmail-smtp-in.l.google.com
Source: global traffic DNS traffic detected: DNS query: gmail-smtp-in.l.google.com
Source: global traffic DNS traffic detected: DNS query: alt2.gmail-smtp-in.l.google.com
Source: global traffic DNS traffic detected: DNS query: alt3.gmail-smtp-in.l.google.com
Source: global traffic DNS traffic detected: DNS query: alt4.gmail-smtp-in.l.google.com
Source: global traffic DNS traffic detected: DNS query: hotmail.com
Source: global traffic DNS traffic detected: DNS query: hotmail-com.olc.protection.outlook.com
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00423D83: QueryDosDeviceA,lstrcpyA,lstrcatA,GetLastError,lstrcpyA,lstrcatA,DefineDosDeviceA,GetLastError,lstrcpyA,lstrcatA,CreateFileA,DeviceIoControl,GetLastError,GetLastError,DefineDosDeviceA,GetLastError, 0_2_00423D83
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe File created: C:\Windows\tserv.exe Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe File created: C:\Windows\tserv.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00411800 0_2_00411800
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_004108D0 0_2_004108D0
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040C8E0 0_2_0040C8E0
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040F0E9 0_2_0040F0E9
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00410907 0_2_00410907
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00404110 0_2_00404110
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00409119 0_2_00409119
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040F1C7 0_2_0040F1C7
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040C1D0 0_2_0040C1D0
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00404990 0_2_00404990
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_004091A7 0_2_004091A7
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040E246 0_2_0040E246
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00428A08 0_2_00428A08
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00425214 0_2_00425214
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00405310 0_2_00405310
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00408BC0 0_2_00408BC0
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00415BD0 0_2_00415BD0
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0041B3D0 0_2_0041B3D0
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040DBF0 0_2_0040DBF0
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0041E3A0 0_2_0041E3A0
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00409436 0_2_00409436
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00409CF7 0_2_00409CF7
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0041BD00 0_2_0041BD00
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040EDE0 0_2_0040EDE0
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040DE56 0_2_0040DE56
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0041C660 0_2_0041C660
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00410670 0_2_00410670
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040E676 0_2_0040E676
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00409F47 0_2_00409F47
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040EF78 0_2_0040EF78
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040FF30 0_2_0040FF30
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00405F30 0_2_00405F30
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: String function: 0042664C appears 45 times
Source: Update-KB6125-x86.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.evad.winEXE@4/2@14/9
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle, 0_2_004047A0
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00405090 GetSystemDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetFileAttributesA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00405090
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0041E0B0 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileA,WriteFile,CloseHandle, 0_2_0041E0B0
Source: C:\Windows\tserv.exe Mutant created: NULL
Source: Update-KB6125-x86.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Update-KB6125-x86.exe Virustotal: Detection: 84%
Source: Update-KB6125-x86.exe ReversingLabs: Detection: 94%
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe File read: C:\Users\user\Desktop\Update-KB6125-x86.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Update-KB6125-x86.exe "C:\Users\user\Desktop\Update-KB6125-x86.exe"
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Process created: C:\Windows\tserv.exe C:\Windows\tserv.exe s
Source: unknown Process created: C:\Windows\tserv.exe "C:\Windows\tserv.exe" s
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Process created: C:\Windows\tserv.exe C:\Windows\tserv.exe s Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: cmut449c14b7.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: cmut449c14b7.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: cmut449c14b7.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: cmut449c14b7.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: cmut449c14b7.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA, 0_2_0041F660
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0042647C push eax; ret 0_2_0042649A
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_004254B0 push eax; ret 0_2_004254C4
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_004254B0 push eax; ret 0_2_004254EC
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00426687 push ecx; ret 0_2_00426697

Persistence and Installation Behavior

barindex
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Executable created and started: C:\Windows\tserv.exe Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe File created: C:\Windows\tserv.exe Jump to dropped file
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe File created: C:\Windows\tserv.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Windows\tserv.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs Jump to behavior
Source: C:\Windows\tserv.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tserv Jump to behavior
Source: C:\Windows\tserv.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tserv Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0041D159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_0041D159
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Update-KB6125-x86.exe Static PE information: Resource name: RT_ICON size: 0xffffff28
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040C1D0 rdtsc 0_2_0040C1D0
Source: C:\Windows\tserv.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Windows\tserv.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe API coverage: 9.3 %
Source: C:\Windows\tserv.exe TID: 7416 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\tserv.exe TID: 7748 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\tserv.exe Last function: Thread delayed
Source: C:\Windows\tserv.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose, 0_2_00406360
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00429F44 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_00429F44
Source: C:\Windows\tserv.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Windows\tserv.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040C1D0 rdtsc 0_2_0040C1D0
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA, 0_2_0041F660
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0041F830 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,SetEvent,Sleep, 0_2_0041F830
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0042731A SetUnhandledExceptionFilter, 0_2_0042731A
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0042732E SetUnhandledExceptionFilter, 0_2_0042732E

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread, 0_2_00404840
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00423260 GetProcessHeap,HeapAlloc,HeapAlloc,HeapAlloc,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,IsValidSecurityDescriptor, 0_2_00423260
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: GetLocaleInfoA, 0_2_0042C8B2
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00401830 ExpandEnvironmentStringsA,GetLocalTime,CreateFileA,CloseHandle, 0_2_00401830
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_0040BE00 lstrlenA,GetLocalTime,GetTimeZoneInformation,lstrlenA, 0_2_0040BE00
Source: C:\Users\user\Desktop\Update-KB6125-x86.exe Code function: 0_2_00425D91 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA, 0_2_00425D91
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs