Windows Analysis Report GlLHM7paoZ.exe

Overview

General Information

Sample Name: GlLHM7paoZ.exe
Analysis ID: 508200
MD5: 598c53bfef81e489375f09792e487f1a
SHA1: 80a29bd2c349a8588edf42653ed739054f9a10f5
SHA256: 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
Infos:

Most interesting Screenshot:

Detection

BLACKMatter
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Found ransom note / readme
Antivirus / Scanner detection for submitted sample
Yara detected BLACKMatter Ransomware
Multi AV Scanner detection for domain / URL
Hides threads from debuggers
Changes the wallpaper picture
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Contains functionality to execute programs as a different user
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Contains functionality to read the PEB
Enables security privileges

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.GlLHM7paoZ.exe.10f0000.0.unpack Malware Configuration Extractor: BLACKMatter {"Version": "1.2", "RSA Key": "8719a830f4ba94949291582b6654f96c96d9a0f4419f52f367cf2e19b9c95a9b7091cbefafbe5ae39dae285894590a8db8b764e572fab5234646f8659ada2fbd8c37bfddd60797a5ad9dad2ded37969d179ea4ad4c1980d0e70b056241d325e18beb5cc4925fa56abf810f916e7932d016a86e3ad97749e75f9031114b060b56", "Company Victim ID": "512478c08dada2af19e49808fbda5b0b", "AES key": "a6f330b09cd47b4fb9214f7836aa46ad", "ODD_CRYPT_LARGE_FILES": false, "NEED_MAKE_LOGON": true, "MOUNT_UNITS_AND_CRYPT": true, "CRYPT_NETWORK_RESOURCES_AND_AD": true, "TERMINATE_PROCESSES": true, "STOP_SERVICES_AND_DELETE": true, "CREATE_MUTEX": true, "PREPARE_VICTIM_DATA_AND_SEND": true, "PROCESS_TO_KILL": ["encsvc", "thebat", "mydesktopqos", "xfssvccon", "firefox", "infopath", "winword", "steam", "synctime", "notepad", "ocomm", "onenote", "mspub", "thunderbird", "agntsvc", "sql", "excel", "powerpnt", "outlook", "wordpad", "dbeng50", "isqlplussvc", "sqbcoreservice", "oracle", "ocautoupds", "dbsnmp", "msaccess", "tbirdconfig", "ocssd", "mydesktopservice", "visio"], "SERVICES_TO_KILL": ["mepocs", "memtas", "veeam", "svc$", "backup", "sql", "vss"], "C2_URLS": ["https://paymenthacks.com", "http://paymenthacks.com", "https://mojobiden.com", "http://mojobiden.com"], "LOGON_USERS_INFORMATION": ["aheisler@hhcp.com:120Heisler", "dsmith@hhcp.com:Tesla2019", "administrator@hhcp.com:iteam8**"], "RANSOM_NOTE": " ~+ \r\n * +\r\n ' BLACK |\r\n () .-.,='``'=. - o - \r\n '=/_ \\ | \r\n * | '=._ | \r\n \\ `=./`, ' \r\n . '=.__.=' `=' *\r\n + Matter +\r\n O * ' .\r\n\r\n>>> What happens?\r\n Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver.\r\n We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.\r\n\r\n>>> What guarantees? \r\n We are not a politically motivated group and we do not need anything other than your money. \r\n If you pay, we will provide you the programs for decryption and we will delete your data. \r\n If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. \r\n We always keep our promises.\r\n\r\n>> Data leak includes\r\n1. Full emloyeers personal data\r\n2. Network information\r\n3. Schemes of buildings, active project information, architect details and contracts, \r\n4. Finance info\r\n\r\n\r\n>>> How to contact with us? \r\n 1. Download and install TOR Browser (https://www.torproject.org/).\r\n 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.\r\n \r\n>>> Warning! Recovery recommendations. \r\n We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them."}
Multi AV Scanner detection for submitted file
Source: GlLHM7paoZ.exe Virustotal: Detection: 86% Perma Link
Source: GlLHM7paoZ.exe Metadefender: Detection: 77% Perma Link
Source: GlLHM7paoZ.exe ReversingLabs: Detection: 92%
Antivirus / Scanner detection for submitted sample
Source: GlLHM7paoZ.exe Avira: detected
Multi AV Scanner detection for domain / URL
Source: paymenthacks.com Virustotal: Detection: 15% Perma Link
Source: mojobiden.com Virustotal: Detection: 14% Perma Link
Source: ww25.paymenthacks.com Virustotal: Detection: 7% Perma Link
Machine Learning detection for sample
Source: GlLHM7paoZ.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.GlLHM7paoZ.exe.10f0000.0.unpack Avira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.GlLHM7paoZ.exe.10f0000.0.unpack Avira: Label: TR/Crypt.EPACK.Gen2

Compliance:

barindex
Uses 32bit PE files
Source: GlLHM7paoZ.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Videos\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Searches\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Saved Games\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Recent\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Pictures\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Pictures\Camera Roll\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\OneDrive\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Music\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Links\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Favorites\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Favorites\Links\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Downloads\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\ZQIXMVQGAH\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\QNCYCDFIJJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\QCFWYSKMHA\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\PIVFAGEAAV\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\NWCXBPIUYI\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\LFOPODGVOH\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\JDDHMPCDUJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\GIGIYTFFYT\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\GAOBCVIQIJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\DUUDTUBZFW\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\BNAGMGSPLO\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\BJZFPPWAPT\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\QNCYCDFIJJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\QCFWYSKMHA\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\PIVFAGEAAV\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\NWCXBPIUYI\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\LSBIHQFDVT\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\LFOPODGVOH\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\JDDHMPCDUJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\GIGIYTFFYT\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\GAOBCVIQIJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\DUUDTUBZFW\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\BNAGMGSPLO\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\BJZFPPWAPT\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Contacts\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\3D Objects\kVuoJyeoW.README.txt Jump to behavior
Source: unknown HTTPS traffic detected: 103.224.212.222:443 -> 192.168.2.3:49755 version: TLS 1.2
Source: GlLHM7paoZ.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F5928 FindFirstFileW,LoadLibraryW,FindNextFileW,FindClose, 0_2_010F5928
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010FBF33 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose, 0_2_010FBF33
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F6BBF FindFirstFileExW,GetFileAttributesW,DeleteFileW,FindNextFileW,FindClose, 0_2_010F6BBF
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F6A11 FindFirstFileExW,FindNextFileW, 0_2_010F6A11
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F6AE4 FindFirstFileExW,FindClose, 0_2_010F6AE4
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F8BB4 GetLogicalDriveStringsW, 0_2_010F8BB4

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033635 ET TROJAN BlackMatter CnC Domain in DNS Lookup (paymenthacks .com) 192.168.2.3:51143 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2033635 ET TROJAN BlackMatter CnC Domain in DNS Lookup (paymenthacks .com) 192.168.2.3:56009 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2033636 ET TROJAN BlackMatter CnC Domain in DNS Lookup (mojobiden .com) 192.168.2.3:59026 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2033636 ET TROJAN BlackMatter CnC Domain in DNS Lookup (mojobiden .com) 192.168.2.3:49572 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2033636 ET TROJAN BlackMatter CnC Domain in DNS Lookup (mojobiden .com) 192.168.2.3:52130 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2033636 ET TROJAN BlackMatter CnC Domain in DNS Lookup (mojobiden .com) 192.168.2.3:55102 -> 8.8.8.8:53
Found Tor onion address
Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp String found in binary or memory: 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.
Source: kVuoJyeoW.README.txt7.0.dr String found in binary or memory: 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.59.242.153 199.59.242.153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: GlLHM7paoZ.exe, 00000000.00000003.356398285.00000000012FB000.00000004.00000001.sdmp String found in binary or memory: http://mojobiden.com/?wFdsAo=m8SxzzJYA8Cye0ZuIp&IIu7qt4s=9vaqCkIU&P0rY85r3g=3yWBtmW9ThsVHLPvT&NIzLa=
Source: GlLHM7paoZ.exe, 00000000.00000003.356795940.0000000001354000.00000004.00000001.sdmp, GlLHM7paoZ.exe, 00000000.00000003.342688022.0000000001354000.00000004.00000001.sdmp String found in binary or memory: http://mojobiden.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3f
Source: GlLHM7paoZ.exe, 00000000.00000003.356795940.0000000001354000.00000004.00000001.sdmp String found in binary or memory: http://paymenthacks.com/?wFdsAo=m8SxzzJYA8Cye0ZuIp&IIu7qt4s=9vaqCkIU&P0rY85r3g=3yWBtmW9ThsVHLPvT&NIz
Source: GlLHM7paoZ.exe, 00000000.00000003.356398285.00000000012FB000.00000004.00000001.sdmp String found in binary or memory: http://paymenthacks.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&m
Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp, kVuoJyeoW.README.txt7.0.dr String found in binary or memory: http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.
Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp String found in binary or memory: http://ww25.paymenthacks.com/
Source: GlLHM7paoZ.exe, 00000000.00000003.356398285.00000000012FB000.00000004.00000001.sdmp, GlLHM7paoZ.exe, 00000000.00000002.359922754.00000000012F6000.00000004.00000020.sdmp String found in binary or memory: http://ww25.paymenthacks.com/?wFdsAo=m8SxzzJYA8Cye0ZuIp&IIu7qt4s=9vaqCkIU&P0rY85r3g=3yWBtmW9ThsVHLPv
Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp, GlLHM7paoZ.exe, 00000000.00000003.356398285.00000000012FB000.00000004.00000001.sdmp, GlLHM7paoZ.exe, 00000000.00000002.359922754.00000000012F6000.00000004.00000020.sdmp, GlLHM7paoZ.exe, 00000000.00000002.359911192.00000000012DE000.00000004.00000020.sdmp, GlLHM7paoZ.exe, 00000000.00000003.279363599.00000000012F3000.00000004.00000001.sdmp, GlLHM7paoZ.exe, 00000000.00000003.342654946.00000000012FE000.00000004.00000001.sdmp String found in binary or memory: http://ww25.paymenthacks.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6
Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp String found in binary or memory: http://ww25.paymenthacks.com/u
Source: GlLHM7paoZ.exe, 00000000.00000003.356795940.0000000001354000.00000004.00000001.sdmp String found in binary or memory: https://mojobiden.com/
Source: GlLHM7paoZ.exe, 00000000.00000003.356398285.00000000012FB000.00000004.00000001.sdmp String found in binary or memory: https://mojobiden.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3
Source: GlLHM7paoZ.exe, 00000000.00000002.359911192.00000000012DE000.00000004.00000020.sdmp String found in binary or memory: https://mojobiden.com/ments
Source: GlLHM7paoZ.exe, 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp, kVuoJyeoW.README.txt7.0.dr String found in binary or memory: https://www.torproject.org/).
Source: unknown HTTP traffic detected: POST /?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3fju3=SkxeAp3EGyy3E&fGep=oo79la8IfpgF2Pf&Ktpuhpgn=2pQNXS3RarpD2S&lzLC=HEaimaSUBS3zw0nFsZL&MNg=HhbZ8eK HTTP/1.1Accept: */*Connection: keep-aliveAccept-Encoding: gzip, deflate, brContent-Type: text/plainUser-Agent: Chrome/91.0.4472.77Host: paymenthacks.comContent-Length: 816Cache-Control: no-cache
Source: unknown DNS traffic detected: queries for: paymenthacks.com
Source: global traffic HTTP traffic detected: GET /?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3fju3=SkxeAp3EGyy3E&fGep=oo79la8IfpgF2Pf&Ktpuhpgn=2pQNXS3RarpD2S&lzLC=HEaimaSUBS3zw0nFsZL&MNg=HhbZ8eK&subid1=20211024-1821-244d-afd2-7f2406ac953a HTTP/1.1Accept: */*Connection: keep-aliveAccept-Encoding: gzip, deflate, brUser-Agent: Chrome/91.0.4472.77Cache-Control: no-cacheHost: ww25.paymenthacks.comCookie: __tad=1635060084.7055840
Source: global traffic HTTP traffic detected: GET /?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3fju3=SkxeAp3EGyy3E&fGep=oo79la8IfpgF2Pf&Ktpuhpgn=2pQNXS3RarpD2S&lzLC=HEaimaSUBS3zw0nFsZL&MNg=HhbZ8eK&subid1=20211024-1821-245b-b16a-e897805eb3ba HTTP/1.1Accept: */*Connection: keep-aliveAccept-Encoding: gzip, deflate, brUser-Agent: Chrome/91.0.4472.77Cache-Control: no-cacheHost: ww25.paymenthacks.comCookie: __tad=1635060084.7055840; parking_session=68cbdd23-a819-2e99-a6ef-bf61faaacfaf
Source: global traffic HTTP traffic detected: GET /?wFdsAo=m8SxzzJYA8Cye0ZuIp&IIu7qt4s=9vaqCkIU&P0rY85r3g=3yWBtmW9ThsVHLPvT&NIzLa=KKD&Ww7uium=7kQVlcMRI0lz9zF5N&EOj3TrEzg=uXPRgqL6AtVMT&jOg2Kq=KbU1&OJqem=QGXs&Thxw591w=7AzVv38Ty&3Kwha=7J4&3JE702D5H=wVwVW&xj6Km=eIvB77L1DiRICecfvT&rn2cJrZbK=y6u&Wl1Wj=VXl8HkHvD8h6WgygV&jiC4MKl=PC3nWpKyNJUHfNNY&YdDNI5U=qZiZI0BeoLfimdx&DjiEcu=20b4Hh8Ch5v&tz2REARJ=zwNqtxhKtQaEpGWtM&subid1=20211024-1821-5994-88c3-3f09ef5a5c59 HTTP/1.1Accept: */*Connection: keep-aliveAccept-Encoding: gzip, deflate, brUser-Agent: AppleWebKit/587.38 (KHTML, like Gecko)Cache-Control: no-cacheHost: ww25.paymenthacks.comCookie: __tad=1635060084.7055840; parking_session=68cbdd23-a819-2e99-a6ef-bf61faaacfaf
Source: global traffic HTTP traffic detected: GET /?wFdsAo=m8SxzzJYA8Cye0ZuIp&IIu7qt4s=9vaqCkIU&P0rY85r3g=3yWBtmW9ThsVHLPvT&NIzLa=KKD&Ww7uium=7kQVlcMRI0lz9zF5N&EOj3TrEzg=uXPRgqL6AtVMT&jOg2Kq=KbU1&OJqem=QGXs&Thxw591w=7AzVv38Ty&3Kwha=7J4&3JE702D5H=wVwVW&xj6Km=eIvB77L1DiRICecfvT&rn2cJrZbK=y6u&Wl1Wj=VXl8HkHvD8h6WgygV&jiC4MKl=PC3nWpKyNJUHfNNY&YdDNI5U=qZiZI0BeoLfimdx&DjiEcu=20b4Hh8Ch5v&tz2REARJ=zwNqtxhKtQaEpGWtM&subid1=20211024-1822-00f0-90ca-3541d116f917 HTTP/1.1Accept: */*Connection: keep-aliveAccept-Encoding: gzip, deflate, brUser-Agent: AppleWebKit/587.38 (KHTML, like Gecko)Cache-Control: no-cacheHost: ww25.paymenthacks.comCookie: __tad=1635060084.7055840; parking_session=68cbdd23-a819-2e99-a6ef-bf61faaacfaf
Source: unknown HTTPS traffic detected: 103.224.212.222:443 -> 192.168.2.3:49755 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands:

barindex
Found ransom note / readme
Source: C:\Users\user\Videos\kVuoJyeoW.README.txt Dropped file: ~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' .>>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.>>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises.>> Data leak includes1. Full emloyeers personal data2. Network information3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info>>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them. Jump to dropped file
Yara detected BLACKMatter Ransomware
Source: Yara match File source: 00000000.00000003.279368947.00000000012FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.279421242.00000000012FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.359933097.00000000012FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: GlLHM7paoZ.exe PID: 4540, type: MEMORYSTR
Changes the wallpaper picture
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\kVuoJyeoW.bmp Jump to behavior
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File moved: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File moved: C:\Users\user\Desktop\QCFWYSKMHA\BNAGMGSPLO.xlsx Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File moved: C:\Users\user\Desktop\QNCYCDFIJJ\EFOYFBOLXA.jpg Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File moved: C:\Users\user\Desktop\EWZCVGNOWT.png Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File moved: C:\Users\user\Desktop\BNAGMGSPLO.jpg Jump to behavior
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File dropped: C:\Users\user\Videos\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them. Jump to dropped file
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File dropped: C:\Users\user\Saved Games\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them. Jump to dropped file
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File dropped: C:\Users\user\Desktop\LSBIHQFDVT\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them. Jump to dropped file
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File dropped: C:\Users\user\Searches\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them. Jump to dropped file
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File dropped: C:\Users\user\Documents\PIVFAGEAAV\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them. Jump to dropped file
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File dropped: C:\Users\user\Desktop\QCFWYSKMHA\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them. Jump to dropped file
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File dropped: C:\Users\user\Documents\DUUDTUBZFW\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them. Jump to dropped file
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File dropped: C:\Users\user\Documents\GIGIYTFFYT\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them. Jump to dropped file
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File dropped: C:\Users\user\Desktop\BNAGMGSPLO\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them. Jump to dropped file
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File dropped: C:\Users\user\Contacts\kVuoJyeoW.README.txt -> decryptor for the entire network and you will restore all the data.>>> what guarantees? we are not a politically motivated group and we do not need anything other than your money. if you pay, we will provide you the programs for decryption and we will delete your data. if we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. we always keep our promises.>> data leak includes1. full emloyeers personal data2. network information3. schemes of buildings, active project information, architect details and contracts, 4. finance info>>> how to contact with us? 1. download and install tor browser (https://www.torproject.org/). 2. open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7nt6lxkc1xqhw5039blov. >>> warning! recovery recommendations. we strongly recommend you to do not modify or repair your files, that will damage them. Jump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: GlLHM7paoZ.exe, type: SAMPLE Matched rule: Detect BlackMatter ransomware Author: Arkbird_SOLG
Source: 0.2.GlLHM7paoZ.exe.10f0000.0.unpack, type: UNPACKEDPE Matched rule: Detect BlackMatter ransomware Author: Arkbird_SOLG
Source: 0.0.GlLHM7paoZ.exe.10f0000.0.unpack, type: UNPACKEDPE Matched rule: Detect BlackMatter ransomware Author: Arkbird_SOLG
Uses 32bit PE files
Source: GlLHM7paoZ.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: GlLHM7paoZ.exe, type: SAMPLE Matched rule: RAN_BlackMatter_Aug_2021_1 date = 2021-08-02, hash2 = 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984, hash1 = 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6, level = Experimental, author = Arkbird_SOLG, description = Detect BlackMatter ransomware, adversary = -, reference = https://twitter.com/abuse_ch/status/1421834305416933376, tlp = white
Source: 0.2.GlLHM7paoZ.exe.10f0000.0.unpack, type: UNPACKEDPE Matched rule: RAN_BlackMatter_Aug_2021_1 date = 2021-08-02, hash2 = 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984, hash1 = 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6, level = Experimental, author = Arkbird_SOLG, description = Detect BlackMatter ransomware, adversary = -, reference = https://twitter.com/abuse_ch/status/1421834305416933376, tlp = white
Source: 0.0.GlLHM7paoZ.exe.10f0000.0.unpack, type: UNPACKEDPE Matched rule: RAN_BlackMatter_Aug_2021_1 date = 2021-08-02, hash2 = 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984, hash1 = 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6, level = Experimental, author = Arkbird_SOLG, description = Detect BlackMatter ransomware, adversary = -, reference = https://twitter.com/abuse_ch/status/1421834305416933376, tlp = white
Detected potential crypto function
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F51E8 0_2_010F51E8
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F207C 0_2_010F207C
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F4CD8 0_2_010F4CD8
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F4CD3 0_2_010F4CD3
Contains functionality to call native functions
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F890B CreateThread,ResumeThread,GetExitCodeThread,NtClose, 0_2_010F890B
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F9F23 RegCreateKeyExW,RegQueryValueExW,NtClose, 0_2_010F9F23
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F7F4C NtClose, 0_2_010F7F4C
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F9554 NtSetInformationProcess,NtSetInformationProcess, 0_2_010F9554
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F8766 NtSetInformationThread, 0_2_010F8766
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F6393 NtQueryInformationToken, 0_2_010F6393
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010FB790 CreateThread,NtClose, 0_2_010FB790
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F73C1 NtQuerySystemInformation, 0_2_010F73C1
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F6245 RegCreateKeyExW,RegQueryValueExW,NtClose, 0_2_010F6245
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F9494 NtQueryInformationToken, 0_2_010F9494
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F7EA7 NtQuerySystemInformation, 0_2_010F7EA7
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F92E1 NtSetInformationThread, 0_2_010F92E1
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F73F3 NtQuerySystemInformation, 0_2_010F73F3
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F740C NtQuerySystemInformation, 0_2_010F740C
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F7EE0 NtQuerySystemInformation, 0_2_010F7EE0
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F7EF9 NtQuerySystemInformation, 0_2_010F7EF9
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F8DC6: FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,CreateFileW,DeviceIoControl, 0_2_010F8DC6
Enables security privileges
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Process token adjusted: Security Jump to behavior
Source: GlLHM7paoZ.exe Static PE information: Section: .rsrc ZLIB complexity 0.990792410714
Source: GlLHM7paoZ.exe Virustotal: Detection: 86%
Source: GlLHM7paoZ.exe Metadefender: Detection: 77%
Source: GlLHM7paoZ.exe ReversingLabs: Detection: 92%
Source: GlLHM7paoZ.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\kVuoJyeoW.README.txt Jump to behavior
Source: classification engine Classification label: mal100.rans.evad.winEXE@1/176@6/2
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F8C6E GetDiskFreeSpaceExW, 0_2_010F8C6E
Source: GlLHM7paoZ.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\d2c777569925c4c22958338e72708f92
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: GlLHM7paoZ.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: GlLHM7paoZ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F353B push 0000006Ah; retf 0_2_010F3614
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F35A5 push 0000006Ah; retf 0_2_010F3614
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F35A3 push 0000006Ah; retf 0_2_010F3614
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F57A7 LoadLibraryA,GetProcAddress, 0_2_010F57A7
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Videos\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Searches\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Saved Games\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Recent\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Pictures\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Pictures\Camera Roll\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\OneDrive\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Music\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Links\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Favorites\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Favorites\Links\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Downloads\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\ZQIXMVQGAH\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\QNCYCDFIJJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\QCFWYSKMHA\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\PIVFAGEAAV\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\NWCXBPIUYI\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\LFOPODGVOH\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\JDDHMPCDUJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\GIGIYTFFYT\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\GAOBCVIQIJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\DUUDTUBZFW\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\BNAGMGSPLO\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Documents\BJZFPPWAPT\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\QNCYCDFIJJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\QCFWYSKMHA\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\PIVFAGEAAV\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\NWCXBPIUYI\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\LSBIHQFDVT\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\LFOPODGVOH\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\JDDHMPCDUJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\GIGIYTFFYT\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\GAOBCVIQIJ\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\DUUDTUBZFW\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\BNAGMGSPLO\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Desktop\BJZFPPWAPT\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\Contacts\kVuoJyeoW.README.txt Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File created: C:\Users\user\3D Objects\kVuoJyeoW.README.txt Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F1014 0_2_010F1014
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F1014 rdtsc 0_2_010F1014
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F5928 FindFirstFileW,LoadLibraryW,FindNextFileW,FindClose, 0_2_010F5928
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010FBF33 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose, 0_2_010FBF33
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F6BBF FindFirstFileExW,GetFileAttributesW,DeleteFileW,FindNextFileW,FindClose, 0_2_010F6BBF
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F6A11 FindFirstFileExW,FindNextFileW, 0_2_010F6A11
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F6AE4 FindFirstFileExW,FindClose, 0_2_010F6AE4
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F8BB4 GetLogicalDriveStringsW, 0_2_010F8BB4
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: GlLHM7paoZ.exe, 00000000.00000002.359911192.00000000012DE000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: GlLHM7paoZ.exe, 00000000.00000002.359911192.00000000012DE000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW* 7-WFP Native MAC Layer LightWeight Filter-0000

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F57A7 LoadLibraryA,GetProcAddress, 0_2_010F57A7
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F1014 rdtsc 0_2_010F1014
Enables debug privileges
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F5F98 mov eax, dword ptr fs:[00000030h] 0_2_010F5F98
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010FB790 mov ebx, dword ptr fs:[00000030h] 0_2_010FB790
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F5FB3 mov eax, dword ptr fs:[00000030h] 0_2_010F5FB3
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F5FCE mov eax, dword ptr fs:[00000030h] 0_2_010F5FCE
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F581D mov eax, dword ptr fs:[00000030h] 0_2_010F581D
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F153E mov eax, dword ptr fs:[00000030h] 0_2_010F153E
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F155E mov eax, dword ptr fs:[00000030h] 0_2_010F155E
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F6983 mov eax, dword ptr fs:[00000030h] 0_2_010F6983
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F95D6 mov ebx, dword ptr fs:[00000030h] 0_2_010F95D6
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F163A mov eax, dword ptr fs:[00000030h] 0_2_010F163A
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F1647 mov eax, dword ptr fs:[00000030h] 0_2_010F1647
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F82BF mov eax, dword ptr fs:[00000030h] 0_2_010F82BF
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F82BF mov eax, dword ptr fs:[00000030h] 0_2_010F82BF

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F85C8 LogonUserW, 0_2_010F85C8

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F1014 cpuid 0_2_010F1014
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\GlLHM7paoZ.exe Code function: 0_2_010F8841 GetUserNameW, 0_2_010F8841
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.59.242.153
 77026.bodis.com United States
395082 BODIS-NJUS false
103.224.212.222
 paymenthacks.com Australia
133618 TRELLIAN-AS-APTrellianPtyLimitedAU true

Contacted Domains

Name IP Active
paymenthacks.com 103.224.212.222 true
77026.bodis.com 199.59.242.153 true
mojobiden.com unknown unknown
ww25.paymenthacks.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://paymenthacks.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3fju3=SkxeAp3EGyy3E&fGep=oo79la8IfpgF2Pf&Ktpuhpgn=2pQNXS3RarpD2S&lzLC=HEaimaSUBS3zw0nFsZL&MNg=HhbZ8eK true
  • Avira URL Cloud: safe
 unknown
https://paymenthacks.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3fju3=SkxeAp3EGyy3E&fGep=oo79la8IfpgF2Pf&Ktpuhpgn=2pQNXS3RarpD2S&lzLC=HEaimaSUBS3zw0nFsZL&MNg=HhbZ8eK true
  • Avira URL Cloud: safe
 unknown
http://ww25.paymenthacks.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3fju3=SkxeAp3EGyy3E&fGep=oo79la8IfpgF2Pf&Ktpuhpgn=2pQNXS3RarpD2S&lzLC=HEaimaSUBS3zw0nFsZL&MNg=HhbZ8eK&subid1=20211024-1821-244d-afd2-7f2406ac953a true
  • Avira URL Cloud: safe
 unknown
http://ww25.paymenthacks.com/?ztYdx0Q=9Jh2L4nBPBJechaF7&aLz8nwiFC=fVBFCEdqrnS06Ab&ZaNSaGgG3=maO6bGG6LAg&mi3fju3=SkxeAp3EGyy3E&fGep=oo79la8IfpgF2Pf&Ktpuhpgn=2pQNXS3RarpD2S&lzLC=HEaimaSUBS3zw0nFsZL&MNg=HhbZ8eK&subid1=20211024-1821-245b-b16a-e897805eb3ba true
  • Avira URL Cloud: safe
 unknown