Windows Analysis Report ab.bin

Overview

General Information

Sample Name: ab.bin (renamed file extension from bin to exe)
Analysis ID: 548854
MD5: 0b486fe0503524cfe4726a4022fa6a68
SHA1: 297dea71d489768ce45d23b0f8a45424b469ab00
SHA256: 1228d0f04f0ba82569fc1c0609f9fd6c377a91b9ea44c1e7f9f84b2b90552da2
Infos:

Most interesting Screenshot:

Detection

Avaddon
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Avaddon Ransomware
Found ransom note / readme
Antivirus / Scanner detection for submitted sample
Yara detected RansomwareGeneric
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Copying Sensitive Files with Credential Data
Yara detected PersistenceViaHiddenTask
Spreads via windows shares (copies files to share folders)
Creates processes via WMI
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Machine Learning detection for dropped file
Deletes shadow drive data (may be related to ransomware)
Disables UAC (registry)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Creates COM task schedule object (often to register a task for autostart)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Checks for available system drives (often done to infect USB drives)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: ab.exe Virustotal: Detection: 88% Perma Link
Source: ab.exe Metadefender: Detection: 65% Perma Link
Source: ab.exe ReversingLabs: Detection: 96%
Antivirus / Scanner detection for submitted sample
Source: ab.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Avira: detection malicious, Label: HEUR/AGEN.1136765
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Virustotal: Detection: 88% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Metadefender: Detection: 65% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe ReversingLabs: Detection: 96%
Machine Learning detection for sample
Source: ab.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01304E30 CryptReleaseContext, 2_2_01304E30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01309150 CryptEncrypt, 2_2_01309150
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_013091A0 CryptDestroyKey,CryptReleaseContext, 2_2_013091A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0130A050 CryptExportKey, 2_2_0130A050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0130A0A0 CryptEncrypt, 2_2_0130A0A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0130A0E0 CryptExportKey, 2_2_0130A0E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01309BE0 CryptAcquireContextW,CryptGenKey,CryptDestroyKey,CryptReleaseContext, 2_2_01309BE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01308BC0 CryptAcquireContextW,CryptGenKey,GetFileAttributesW,SetFileAttributesW,CreateFileW,CloseHandle,CloseHandle,CryptDestroyKey,CryptReleaseContext, 2_2_01308BC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01309A90 CryptAcquireContextW,GetLastError,CryptAcquireContextW, 2_2_01309A90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01309AF0 CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree, 2_2_01309AF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01310C10 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDuplicateKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 2_2_01310C10

Compliance:

barindex
Uses 32bit PE files
Source: ab.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Desktop\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Desktop\GAOBCVIQIJ\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Desktop\LSBIHQFDVT\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Desktop\QNCYCDFIJJ\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Documents\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Documents\GAOBCVIQIJ\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Documents\LSBIHQFDVT\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Documents\QNCYCDFIJJ\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Downloads\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Favorites\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Searches\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt Jump to behavior
Source: ab.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Spreading:

barindex
Spreads via windows shares (copies files to share folders)
Source: C:\Users\user\Desktop\ab.exe File created: Z:\$RECYCLE.BIN Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002 Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: Z:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini Jump to behavior
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\ab.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: c: Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File opened: a: Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0130D280 FindFirstFileW,FindNextFileW,FindClose, 2_2_0130D280
Source: ab.exe, 00000000.00000003.332133858.00000000043E8000.00000004.00000010.sdmp String found in binary or memory: https://www.torproject.o
Source: ab.exe, 00000000.00000003.317616341.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.327252185.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.330084919.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.324632117.00000000043E9000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.317257973.00000000043E8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.316985824.00000000043E8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.321019974.0000000004DB7000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.321639243.0000000004DB7000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.321699591.0000000004DB8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.316551039.00000000043E8000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.321142835.0000000004DB7000.00000004.00000010.sdmp, ab.exe, 00000000.00000003.336845609.000000000083D000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.324338080.000000000083D000.00000004.00000001.sdmp, uCLrcwQ_readme_.txt8.0.dr, uCLrcwQ_readme_.txt.0.dr, uCLrcwQ_readme_.txt5.0.dr, uCLrcwQ_readme_.txt10.0.dr, uCLrcwQ_readme_.txt9.0.dr, uCLrcwQ_readme_.txt4.0.dr, uCLrcwQ_readme_.txt2.0.dr, uCLrcwQ_readme_.txt6.0.dr, uCLrcwQ_readme_.txt1.0.dr, uCLrcwQ_readme_.txt7.0.dr, uCLrcwQ_readme_.txt0.0.dr, uCLrcwQ_readme_.txt3.0.dr String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected Avaddon Ransomware
Source: Yara match File source: 00000000.00000003.317257973.00000000043E8000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.316985824.00000000043E8000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.321019974.0000000004DB7000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.438770513.0000000001537000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.321639243.0000000004DB7000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.321666234.0000000004DB7000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.309597830.000000000069A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.316551039.00000000043E8000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.317170385.00000000043E8000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.321142835.0000000004DB7000.00000004.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.336845609.000000000083D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.324338080.000000000083D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ab.exe PID: 6212, type: MEMORYSTR
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Source: Yara match File source: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt, type: DROPPED
Found ransom note / readme
Source: C:\Users\user\Documents\QNCYCDFIJJ\uCLrcwQ_readme_.txt Dropped file: -------=== Your network has been infected! ===-------***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************All your documents, photos, databases and other important files have been encrypted and have the extension: .bCcBDeabeaYou are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!We have also downloaded a lot of private data from your network.If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info.You can get more information on our page, which is located in a Tor hidden network.How to get to our page--------------------------------------------------------------------------------|| 1. Download Tor browser - https://www.torproject.org/|| 2. Install Tor browser|| 3. Open link in Tor browser - avaddonbotrxmuyl.onion|| 4. Follow the instructions on this page|--------------------------------------------------------------------------------Your ID:--------------------------------------------------------------------------------MjY2NC15cjBHSlJ4UGYzSSswd3dmWWIvallTUUxZNVlOR1dlWE9mOGFoaEloMk9wdVIwTkNJREp2L2FwQ3NOOWU3Ty9CcUxGMW9nSlZTMmNkNjk1bFdCTU1HcVhGTml1REo3Rkl3dDAwcERtVitycTcvNS9mZTE4QWJEOENHWDI3UjlrQVM2TkFuWmkydjd5NXRnNmtiK0NObndndEoyODRVanhXU2kwREhBb1BCYnZkL25jT3hTWWtkTTVhR1M5eFFpdTRzR0I2ZTllZXVQNXU5V3lVb1kybHdsTmhKKys3MjF3TDNsVnlnNno0Q2pZQ0RPYmhVOEtRTWxVZ2ZrYmdtazdXMkl5aUZrV0pqSlFsNVMzY25XY08yK1h1a2t5RlRQNG1FVzV6R3V3aHVSN09lbldlaVlmbzRKaUVUVTE2dnNzdTJ6TGRKY2dSODR0VCtOdllaOVVzdkwrNjBld1RUeTVKWmZtODd6Kyt5SjVxYjVFZGJqbnU5VTZCUjVrNUU1cmdXU2ZtMkVmRFNJdmswc1hHOWRNZE1ydHJ5ODM5NDVmRHlBVGxmM3pydFVSN2k1UDIzTzB1dnBWVDRsVy9CbmQ0aUVCYnVZWnFwWGJ6WmZhdTZRYnNlaXl1YXJkKzdLWjBxajdRMW5FWkN5enFaR09zNXlaL3VKY2EyTW5QVUFlMEZ3YnRjNzlQUngwYmg3L1BLc2xpc1NnZmxNdUxHY1o0NDJKVWhTRGxOTG11SkYwclp3WnRKNTBHWWhUUmIrdG0rR3EramdMSUdZUHFNTmhuSHZHMW0vTDRlK2R0YVRtcTY1bUhTOXZjUjZZbVNwenJwY1ZhdGFudG94QzRINGpvb0ZvMTlWRDU1QXZ0V3VqZWhmOHpTNERORGZncHN0L04wNzBCbEhyam9oSENsRmRHdS9ZandPZ3ZnYmI0UTJlU0hTTnNoMndrbnZ0MkZyWjAvcllWcm45MkhaQnlMM01TRi9vNUJhSFBTYU0wMkpXVFdJSlNDV0hWNWFMdmJtU05sU05LQ1lOVVVtMzRMY3crWFYwSUVyU2FRZXVqQWo3MG1GcmovdFlIZmhkSU9CQzV5bExwbnQwOUxscnFXVmJmUGl0dHNvSXBxOGY1amFpZzM5dndwOHI1TmVpTTJxRXJnNTNINkJFN1BWZWl6eEFHNXFHRlVDeXhIMVI2bE12aCtaTGt0SGh6ZlIraDhUT3Frb2gwbkdVYVloTEJnU3hxekI4MjJLaUFiZTdBN0kycWFxb2NkOXJ4bitKdjltOHJ5ZU1ZZzlLQVI3bzVEVWdKZzdFNVNXL0FKb29HWDhnN2JNekRpUjZLN2FMZEt4REg3UGQ3UTVtVlZId3hlWFkzUjQ1ZkFVbytXMjdaaE8wRy82M2Y2SjlnM3lxejdNVVN1Z2h1cld2OGxlMUpzVWw0eUgvTkFGM2o1eU9KdUw4Ync0Y0ZPdUZZV2VkVzdpTGtCaXV0MGQ4VjIweXpEU1lqaDNrMUNuYnlINUJ5dWwvOUR4YnBtZWxMM2tCMDRIWkhhY2MybTNsY3hoU0g2T3lkbkUydW1idXJyR2dWNWJaS21IT1VpdCtNdUYx Jump to dropped file
Yara detected RansomwareGeneric
Source: Yara match File source: Process Memory Space: ab.exe PID: 6212, type: MEMORYSTR
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\ab.exe File moved: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File deleted: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File moved: C:\Users\user\Desktop\QNCYCDFIJJ\EFOYFBOLXA.jpg Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File deleted: C:\Users\user\Desktop\QNCYCDFIJJ\EFOYFBOLXA.jpg Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File moved: C:\Users\user\Desktop\BNAGMGSPLO.jpg Jump to behavior
Deletes shadow drive data (may be related to ransomware)
Source: unknown Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: unknown Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: unknown Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet Jump to behavior
Source: vssadmin.exe, 00000010.00000002.285725415.00000000034C7000.00000004.00000020.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005468- TID: 00005608- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 00000010.00000002.285725415.00000000034C7000.00000004.00000020.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005468- TID: 00005608- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 n
Source: vssadmin.exe, 00000010.00000002.284948508.0000000001340000.00000004.00000040.sdmp Binary or memory string: vssadminDeleteShadows/All/QuietO1R
Source: vssadmin.exe, 00000010.00000002.285712990.00000000034C0000.00000004.00000020.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinSta0\DefaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=FENIVHOUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowso
Source: vssadmin.exe, 00000010.00000002.285712990.00000000034C0000.00000004.00000020.sdmp Binary or memory string: vssadmin Delete Shadows /All /Quiet
Source: vssadmin.exe, 00000010.00000002.285712990.00000000034C0000.00000004.00000020.sdmp Binary or memory string: vssadmin Delete Shadows /All /Quiet'
Source: vssadmin.exe, 00000010.00000002.284764824.000000000107C000.00000004.00000001.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005468- TID: 00005608- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 00000010.00000002.284764824.000000000107C000.00000004.00000001.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005468- TID: 00005608- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -
Source: vssadmin.exe, 00000019.00000002.291742139.0000000000CEC000.00000004.00000001.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00007608- TID: 00007612- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 00000019.00000002.291742139.0000000000CEC000.00000004.00000001.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00007608- TID: 00007612- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -
Source: vssadmin.exe, 00000019.00000002.292512976.0000000003530000.00000004.00000040.sdmp Binary or memory string: vssadminDeleteShadows/All/Quiet
Source: vssadmin.exe, 00000019.00000002.291815635.0000000000DC0000.00000004.00000020.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinSta0\Default
Source: vssadmin.exe, 0000001E.00000002.299021550.0000000000FD0000.00000004.00000020.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /QuietC:\Windows\SYSTEM32\vssadmin.exeWinSta0\Default*
Source: vssadmin.exe, 0000001E.00000002.299334254.00000000035A0000.00000004.00000040.sdmp Binary or memory string: vssadminDeleteShadows/All/Quiet-
Source: vssadmin.exe, 0000001E.00000002.298998635.0000000000E3C000.00000004.00000001.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00007752- TID: 00007756- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 0000001E.00000002.298998635.0000000000E3C000.00000004.00000001.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00007752- TID: 00007756- CMD: vssadmin Delete Shadows /All /Quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002 -
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01309AF0 CryptStringToBinaryA,GetProcessHeap,HeapAlloc,CryptStringToBinaryA,CryptImportKey,GetProcessHeap,HeapFree, 2_2_01309AF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01310C10 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDuplicateKey,CryptEncrypt,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext, 2_2_01310C10

System Summary:

barindex
Uses 32bit PE files
Source: ab.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01315590 2_2_01315590
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0130ACE0 2_2_0130ACE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012F9180 2_2_012F9180
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01347A30 2_2_01347A30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01310430 2_2_01310430
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012FE4A0 2_2_012FE4A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01358C8F 2_2_01358C8F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0134A5EB 2_2_0134A5EB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01310610 2_2_01310610
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012FAEE0 2_2_012FAEE0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: String function: 0132F1B6 appears 34 times
Sample file is different than original file name gathered from version info
Source: ab.exe, 00000000.00000003.274727314.0000000000823000.00000004.00000001.sdmp Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe
Source: ab.exe, 00000000.00000000.271797098.000000000119C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe
Source: ab.exe, 00000002.00000002.310784553.00000000013AC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe
Source: ab.exe, 00000023.00000002.438717484.00000000013AC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe
Source: ab.exe Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe
Source: ab.exe.0.dr Binary or memory string: OriginalFilenametaskhost.exej% vs ab.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\ab.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Section loaded: cscapi.dll Jump to behavior
Contains functionality to delete services
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012FBE70 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle, 2_2_012FBE70
Source: ab.exe Virustotal: Detection: 88%
Source: ab.exe Metadefender: Detection: 65%
Source: ab.exe ReversingLabs: Detection: 96%
Source: C:\Users\user\Desktop\ab.exe File read: C:\Users\user\Desktop\ab.exe Jump to behavior
Source: ab.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ab.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ab.exe "C:\Users\user\Desktop\ab.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe
Source: unknown Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: unknown Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Windows\SysWOW64\vssadmin.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Windows\SysWOW64\vssadmin.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet
Source: C:\Windows\SysWOW64\vssadmin.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012FB140 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,InitiateShutdownW, 2_2_012FB140
Source: C:\Users\user\Desktop\ab.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ab.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ab.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Jump to behavior
Source: classification engine Classification label: mal100.rans.spre.troj.evad.winEXE@27/228@0/0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012FAB30 GetModuleFileNameW,CopyFileW,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,SysFreeString, 2_2_012FAB30
Source: C:\Users\user\Desktop\ab.exe File read: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01312230 GetDiskFreeSpaceW, 2_2_01312230
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012FBE00 OpenSCManagerW,OpenServiceW,StartServiceW,CloseServiceHandle, 2_2_012FBE00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012FA970 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,CloseHandle, 2_2_012FA970
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1756:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_01
Source: C:\Users\user\Desktop\ab.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{A86668A3-8F20-41F3-97D1-676B2AD6ADF7}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_01
Source: C:\Users\user\Desktop\ab.exe File written: C:\$RECYCLE.BIN\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini Jump to behavior
Source: ab.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ab.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ab.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ab.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ab.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ab.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ab.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: ab.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ab.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ab.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ab.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ab.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ab.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0132F190 push ecx; ret 2_2_0132F1A3

Persistence and Installation Behavior:

barindex
Yara detected PersistenceViaHiddenTask
Source: Yara match File source: 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ab.exe PID: 6212, type: MEMORYSTR
Creates processes via WMI
Source: C:\Users\user\Desktop\ab.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ab.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ab.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Drops PE files
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Jump to dropped file
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Desktop\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Desktop\GAOBCVIQIJ\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Desktop\LSBIHQFDVT\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Desktop\QNCYCDFIJJ\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Documents\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Documents\GAOBCVIQIJ\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Documents\LSBIHQFDVT\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Documents\QNCYCDFIJJ\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Downloads\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Favorites\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\user\Searches\uCLrcwQ_readme_.txt Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File created: C:\Users\Public\Libraries\uCLrcwQ_readme_.txt Jump to behavior

Boot Survival:

barindex
Yara detected PersistenceViaHiddenTask
Source: Yara match File source: 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ab.exe PID: 6212, type: MEMORYSTR
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012FBE00 OpenSCManagerW,OpenServiceW,StartServiceW,CloseServiceHandle, 2_2_012FBE00

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe API coverage: 8.4 %
Source: C:\Users\user\Desktop\ab.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0130A220 GetSystemInfo, 2_2_0130A220
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0130D280 FindFirstFileW,FindNextFileW,FindClose, 2_2_0130D280
Source: C:\Users\user\Desktop\ab.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: ab.exe, 00000000.00000003.274696444.00000000007F7000.00000004.00000001.sdmp Binary or memory string: ??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp Binary or memory string: VMwareHostd,l
Source: ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp Binary or memory string: VMnetDHCPhlW
Source: ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp Binary or memory string: VMnetDHCP
Source: ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp Binary or memory string: VMwareHostdSll
Source: ab.exe, 00000000.00000003.313647410.0000000000828000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012FA100 IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentThread,GetThreadContext, 2_2_012FA100
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012FA100 IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentThread,GetThreadContext, 2_2_012FA100
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_012FC0AA GetProcessHeap,HeapFree, 2_2_012FC0AA
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_013565AB mov eax, dword ptr fs:[00000030h] 2_2_013565AB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_013565EF mov eax, dword ptr fs:[00000030h] 2_2_013565EF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01352C19 mov eax, dword ptr fs:[00000030h] 2_2_01352C19
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ab.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0132EAEB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0132EAEB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0134950E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0134950E

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic SHADOWCOPY DELETE /nointeractive Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Process created: C:\Windows\SysWOW64\vssadmin.exe vssadmin Delete Shadows /All /Quiet Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\BNAGMGSPLO.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\EFOYFBOLXA.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\EEGWXUHVUG.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\EFOYFBOLXA.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\BNAGMGSPLO.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\QCFWYSKMHA.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\PWCCAWLGRE.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\EFOYFBOLXA.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\QCFWYSKMHA.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\EEGWXUHVUG.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\GAOBCVIQIJ\SUAVTZKNFL.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\GAOBCVIQIJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\QNCYCDFIJJ.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\LSBIHQFDVT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT\ZQIXMVQGAH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\LSBIHQFDVT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\PWCCAWLGRE.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\PALRGUCVEH.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\QCFWYSKMHA.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\QCFWYSKMHA.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\EFOYFBOLXA.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\PALRGUCVEH.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\QNCYCDFIJJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\SQSJKEBWDT.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\SUAVTZKNFL.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\QNCYCDFIJJ\ZGGKNSUKOP.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\SUAVTZKNFL.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\SQSJKEBWDT.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\SUAVTZKNFL.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\EFOYFBOLXA.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\BNAGMGSPLO.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\EEGWXUHVUG.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\EFOYFBOLXA.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\BNAGMGSPLO.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\EEGWXUHVUG.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\GAOBCVIQIJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\QCFWYSKMHA.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\EFOYFBOLXA.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ\SUAVTZKNFL.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\GAOBCVIQIJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\GAOBCVIQIJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\LSBIHQFDVT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\PWCCAWLGRE.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\QCFWYSKMHA.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\SUAVTZKNFL.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\LSBIHQFDVT\ZQIXMVQGAH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\PWCCAWLGRE.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\LSBIHQFDVT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\PALRGUCVEH.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\QCFWYSKMHA.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\QCFWYSKMHA.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\EFOYFBOLXA.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\PALRGUCVEH.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\QNCYCDFIJJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\SQSJKEBWDT.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\SUAVTZKNFL.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ\ZGGKNSUKOP.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\QNCYCDFIJJ.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\SQSJKEBWDT.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\SUAVTZKNFL.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\EFOYFBOLXA.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\SUAVTZKNFL.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\EFOYFBOLXA.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\BNAGMGSPLO.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\EEGWXUHVUG.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\ZQIXMVQGAH.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\PWCCAWLGRE.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\GAOBCVIQIJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\PALRGUCVEH.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\QCFWYSKMHA.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\QNCYCDFIJJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\QNCYCDFIJJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\GAOBCVIQIJ.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\QCFWYSKMHA.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\SQSJKEBWDT.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\SUAVTZKNFL.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\SUAVTZKNFL.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\SUAVTZKNFL.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\ZGGKNSUKOP.mp3 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Downloads\ZQIXMVQGAH.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Favorites\Amazon.url VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Favorites\Bing.url VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Favorites\Facebook.url VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Favorites\Google.url VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Favorites\Live.url VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Favorites\NYTimes.url VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Favorites\Reddit.url VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Favorites\Twitter.url VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Favorites\Wikipedia.url VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Favorites\Youtube.url VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Searches\Everywhere.search-ms VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\user\Searches\Indexed Locations.search-ms VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ab.exe Queries volume information: C:\Users\Public\Libraries\RecordedTV.library-ms VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Queries volume information: C:\ VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_0135E284
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW, 2_2_0132E899
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_0135EBE5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0135EA10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: GetLocaleInfoW, 2_2_0135628F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: EnumSystemLocalesW, 2_2_0135E526
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: EnumSystemLocalesW, 2_2_0135E571
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: EnumSystemLocalesW, 2_2_01355CD6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: GetLocaleInfoA, 2_2_01311F20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: EnumSystemLocalesW, 2_2_0135E60C
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_01306180 cpuid 2_2_01306180
Source: C:\Users\user\Desktop\ab.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0132F938 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_0132F938
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\ab.exe Code function: 2_2_0135711A _free,_free,_free,GetTimeZoneInformation,_free, 2_2_0135711A

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Disables UAC (registry)
Source: C:\Users\user\Desktop\ab.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA Jump to behavior
AV process strings found (often used to terminate AV products)
Source: ab.exe, 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp Binary or memory string: RTVscan.exe
Source: ab.exe, 00000000.00000003.324241984.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.315481275.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.349826144.00000000007E5000.00000004.00000001.sdmp, ab.exe, 00000000.00000003.354766251.00000000007E5000.00000004.00000001.sdmp Binary or memory string: Defwatch.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548854 Sample: ab.bin Startdate: 06/01/2022 Architecture: WINDOWS Score: 100 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Found ransom note / readme 2->55 57 7 other signatures 2->57 7 ab.exe 334 20 2->7         started        11 ab.exe 2->11         started        13 WMIC.exe 1 2->13         started        15 3 other processes 2->15 process3 file4 43 C:\Users\user\AppData\Roaming\...\ab.exe, PE32 7->43 dropped 45 C:\Users\user\...\uCLrcwQ_readme_.txt, ASCII 7->45 dropped 47 C:\Users\user\Desktop\...\QNCYCDFIJJ.docx, data 7->47 dropped 49 6 other files (4 malicious) 7->49 dropped 59 Deletes shadow drive data (may be related to ransomware) 7->59 61 Spreads via windows shares (copies files to share folders) 7->61 63 Disables UAC (registry) 7->63 73 2 other signatures 7->73 17 WMIC.exe 1 7->17         started        19 WMIC.exe 1 7->19         started        21 WMIC.exe 1 7->21         started        29 3 other processes 7->29 65 Antivirus detection for dropped file 11->65 67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 71 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->71 23 conhost.exe 13->23         started        25 conhost.exe 15->25         started        27 conhost.exe 15->27         started        signatures5 process6 process7 31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 conhost.exe 29->37         started        39 conhost.exe 29->39         started        41 conhost.exe 29->41         started       
No contacted IP infos