Windows Analysis Report
Presupuesto proyecto P3787-SHN Barcelona.pdf.exe

Overview

General Information

Sample Name: Presupuesto proyecto P3787-SHN Barcelona.pdf.exe
Analysis ID: 571748
MD5: 889ae401a3acc4f824065ac0f47143b5
SHA1: 6f81823927158edf53d6b08d2d38dab356cba70e
SHA256: 69186bb77f81edb9bcc66a0382fe00944e6dc67982d61d37d7f0d2e32e92d727
Tags: exe
Infos:

Detection

XpertRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Yara detected XpertRAT
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Initial sample is a PE file and has a suspicious name
Disables user account control notifications
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Disables UAC (registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Sigma detected: CurrentVersion Autorun Keys Modification
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Found large amount of non-executed APIs
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Contains functionality for read data from the clipboard

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Found malware configuration
Source: 13.0.iexplore.exe.400000.3.unpack Malware Configuration Extractor: XpertRAT {"C2 list": ["kapasky-antivirus.firewall-gateway.net:4000"], "Mutex": "U440R6D3-S1J8-T7X6-R224-O8V7P5X0L7L6", "Group": "Test", "Name": "Xpert", "Version": "3.0.10", "Password": "root"}
Antivirus detection for URL or domain
Source: kapasky-antivirus.firewall-gateway.net:4000 Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 13.0.iexplore.exe.400000.3.unpack Avira: Label: TR/Dropper.Gen
Source: 13.0.iexplore.exe.400000.4.unpack Avira: Label: TR/Dropper.Gen
Source: 8.0.onhaomfun.exe.400000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 13.0.iexplore.exe.400000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 8.0.onhaomfun.exe.400000.3.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 8.0.onhaomfun.exe.400000.2.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 8.0.onhaomfun.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.iexplore.exe.400000.2.unpack Avira: Label: TR/Dropper.Gen
Source: 8.0.onhaomfun.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.onhaomfun.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 13.2.iexplore.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 8.0.onhaomfun.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.iexplore.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 5.2.onhaomfun.exe.5d0000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 8.0.onhaomfun.exe.400000.1.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 8.0.onhaomfun.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.onhaomfun.exe.400000.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wntdll.pdbUGP source: onhaomfun.exe, 00000005.00000003.290649228.00000000024C0000.00000004.00000800.00020000.00000000.sdmp, onhaomfun.exe, 00000005.00000003.291143758.0000000002330000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: onhaomfun.exe, 00000005.00000003.290649228.00000000024C0000.00000004.00000800.00020000.00000000.sdmp, onhaomfun.exe, 00000005.00000003.291143758.0000000002330000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: kapasky-antivirus.firewall-gateway.net:4000
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SPD-NETTR SPD-NETTR
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49748 -> 212.193.30.119:4000
Source: Presupuesto proyecto P3787-SHN Barcelona.pdf.exe, Presupuesto proyecto P3787-SHN Barcelona.pdf.exe, 00000000.00000002.297886562.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Presupuesto proyecto P3787-SHN Barcelona.pdf.exe, 00000000.00000000.281469784.0000000000409000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Presupuesto proyecto P3787-SHN Barcelona.pdf.exe, 00000000.00000002.297886562.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Presupuesto proyecto P3787-SHN Barcelona.pdf.exe, 00000000.00000000.281469784.0000000000409000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: unknown DNS traffic detected: queries for: kapasky-antivirus.firewall-gateway.net
Installs a raw input device (often for capturing keystrokes)
Source: onhaomfun.exe, 00000008.00000003.309216217.0000000003085000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: RegisterRawInputDevices
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404F61

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 13.0.iexplore.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: XpertRAT payload Author: ditekSHen
Source: 13.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: XpertRAT payload Author: ditekSHen
Source: 13.0.iexplore.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: XpertRAT payload Author: ditekSHen
Source: 13.0.iexplore.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: XpertRAT payload Author: ditekSHen
Source: 13.0.iexplore.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: XpertRAT payload Author: ditekSHen
Source: 13.0.iexplore.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: XpertRAT payload Author: ditekSHen
Source: 13.0.iexplore.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: XpertRAT payload Author: ditekSHen
Source: 13.0.iexplore.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: XpertRAT payload Author: ditekSHen
Source: 13.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: XpertRAT payload Author: ditekSHen
Source: 13.0.iexplore.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: XpertRAT payload Author: ditekSHen
Source: 13.0.iexplore.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: XpertRAT payload Author: ditekSHen
Source: 0000000D.00000000.301871935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: XpertRAT payload Author: ditekSHen
Source: 0000000D.00000000.301272709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: XpertRAT payload Author: ditekSHen
Source: 0000000D.00000000.301562691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: XpertRAT payload Author: ditekSHen
Source: 00000008.00000003.309216217.0000000003085000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000D.00000000.302426683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: XpertRAT payload Author: ditekSHen
Source: 0000000D.00000002.548586063.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: XpertRAT payload Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Presupuesto proyecto P3787-SHN Barcelona.pdf.exe
Uses 32bit PE files
Source: Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 13.0.iexplore.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 13.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 13.0.iexplore.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 13.0.iexplore.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 13.0.iexplore.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 13.0.iexplore.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 13.0.iexplore.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 13.0.iexplore.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 13.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 13.0.iexplore.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 13.0.iexplore.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 0000000D.00000000.301871935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 0000000D.00000000.301272709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 0000000D.00000000.301562691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 00000008.00000003.309216217.0000000003085000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000000.302426683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Source: 0000000D.00000002.548586063.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_XpertRAT author = ditekSHen, description = XpertRAT payload, clamav_sig = MALWARE.Win.Trojan.XpertRAT, snort_sid = 920003-920006
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_00403225
Detected potential crypto function
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_0040604C 0_2_0040604C
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00404772 0_2_00404772
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_00414BF2 5_2_00414BF2
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_004134DC 5_2_004134DC
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_00414BF2 5_2_00414BF2
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_00415164 5_2_00415164
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_00414BF2 5_2_00414BF2
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_00414680 5_2_00414680
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_004163D1 5_2_004163D1
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_00414BF2 5_2_00414BF2
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_0041739D 5_2_0041739D
PE file contains strange resources
Source: Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe File read: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Jump to behavior
Source: Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe "C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe"
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Process created: C:\Users\user\AppData\Local\Temp\onhaomfun.exe C:\Users\user\AppData\Local\Temp\onhaomfun.exe C:\Users\user\AppData\Local\Temp\purggfce
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process created: C:\Users\user\AppData\Local\Temp\onhaomfun.exe C:\Users\user\AppData\Local\Temp\onhaomfun.exe C:\Users\user\AppData\Local\Temp\purggfce
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\AppData\Local\Temp\purggfce
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Process created: C:\Users\user\AppData\Local\Temp\onhaomfun.exe C:\Users\user\AppData\Local\Temp\onhaomfun.exe C:\Users\user\AppData\Local\Temp\purggfce Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process created: C:\Users\user\AppData\Local\Temp\onhaomfun.exe C:\Users\user\AppData\Local\Temp\onhaomfun.exe C:\Users\user\AppData\Local\Temp\purggfce Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\AppData\Local\Temp\purggfce Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File created: C:\Users\user\AppData\Roaming\U440R6D3-S1J8-T7X6-R224-O8V7P5X0L7L6 Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe File created: C:\Users\user\AppData\Local\Temp\nspC9DD.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/10@3/1
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar, 0_2_00402012
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404275
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: wntdll.pdbUGP source: onhaomfun.exe, 00000005.00000003.290649228.00000000024C0000.00000004.00000800.00020000.00000000.sdmp, onhaomfun.exe, 00000005.00000003.291143758.0000000002330000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: onhaomfun.exe, 00000005.00000003.290649228.00000000024C0000.00000004.00000800.00020000.00000000.sdmp, onhaomfun.exe, 00000005.00000003.291143758.0000000002330000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_0040FAC5 push ecx; ret 5_2_0040FAD8
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 8_2_00402550 push 004010A4h; ret 8_2_00402563
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 8_2_00402564 push 004010A4h; ret 8_2_00402577
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 8_2_0040250F push 004010A4h; ret 8_2_0040254F
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 8_2_00402A38 push 004010A4h; ret 8_2_00402D77
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 8_2_00402D9A push ebp; retf 8_2_00402D9B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3
Drops PE files
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe File created: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run U440R6D3-S1J8-T7X6-R224-O8V7P5X0L7L6 Jump to behavior
Creates autostart registry keys with suspicious names
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run U440R6D3-S1J8-T7X6-R224-O8V7P5X0L7L6 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run U440R6D3-S1J8-T7X6-R224-O8V7P5X0L7L6 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run U440R6D3-S1J8-T7X6-R224-O8V7P5X0L7L6 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: Presupuesto proyecto P3787-SHN Barcelona.pdf.exe
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Window / User API: threadDelayed 7769 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Window / User API: threadDelayed 2230 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe API coverage: 6.9 %
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe API call chain: ExitProcess graph end node
Source: iexplore.exe, 0000000D.00000003.510134053.000000000353E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_00411645 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 5_2_00411645
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_00411645 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 5_2_00411645
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3
Enables debug privileges
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_0040E2B0 mov eax, dword ptr fs:[00000030h] 5_2_0040E2B0
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_0040F9E6 SetUnhandledExceptionFilter, 5_2_0040F9E6
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_0040FA17 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0040FA17

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Section unmapped: C:\Program Files (x86)\Internet Explorer\iexplore.exe base address: 400000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process created: C:\Users\user\AppData\Local\Temp\onhaomfun.exe C:\Users\user\AppData\Local\Temp\onhaomfun.exe C:\Users\user\AppData\Local\Temp\purggfce Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\user\AppData\Local\Temp\purggfce Jump to behavior
Source: iexplore.exe, 0000000D.00000003.314520603.0000000003564000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0|Test - Xpert|United States|user - 921702|2.10.0|US|0h 0m 0s|3.0.10|1|94|0|Program Manager|X|dMnq
Source: iexplore.exe Binary or memory string: Program Manager
Source: onhaomfun.exe, 00000008.00000003.309216217.0000000003085000.00000004.00000800.00020000.00000000.sdmp, iexplore.exe, iexplore.exe, 0000000D.00000000.301871935.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: Progman
Source: iexplore.exe, 0000000D.00000003.314520603.0000000003564000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0|Test - Xpert|United States|user - 921702|2.10.0|US|0h 0m 0s|3.0.10|1|94|0|Program Manager|X|||xKJs
Source: onhaomfun.exe, 00000008.00000003.309216217.0000000003085000.00000004.00000800.00020000.00000000.sdmp, iexplore.exe, 0000000D.00000000.301871935.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: Program ManagerCopyHere
Source: iexplore.exe, 0000000D.00000003.314520603.0000000003564000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0|Test - Xpert|United States|user - 921702|2.10.0|US|0h 0m 0s|3.0.10|1|94|0|Program Manager|X||<J
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_0041303C cpuid 5_2_0041303C
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Code function: 5_2_0040F513 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_0040F513
Source: C:\Users\user\Desktop\Presupuesto proyecto P3787-SHN Barcelona.pdf.exe Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405AA7

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables user account control notifications
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center Jump to behavior
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center UACDisableNotify Jump to behavior
Disables UAC (registry)
Source: C:\Users\user\AppData\Local\Temp\onhaomfun.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA Jump to behavior
AV process strings found (often used to terminate AV products)
Source: iexplore.exe, 0000000D.00000003.314507353.000000000354D000.00000004.00000020.00020000.00000000.sdmp, iexplore.exe, 0000000D.00000003.510134053.000000000353E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected Generic Dropper
Source: Yara match File source: 13.0.iexplore.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.301871935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.301272709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.301562691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.309216217.0000000003085000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.302426683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.548586063.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: onhaomfun.exe PID: 3156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 5388, type: MEMORYSTR
Yara detected XpertRAT
Source: Yara match File source: 13.0.iexplore.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.301871935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.301272709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.301562691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.309216217.0000000003085000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.302426683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.548586063.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: onhaomfun.exe PID: 3156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 5388, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected XpertRAT
Source: Yara match File source: 13.0.iexplore.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.iexplore.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.iexplore.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.301871935.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.301272709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.301562691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.309216217.0000000003085000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.302426683.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.548586063.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: onhaomfun.exe PID: 3156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 5388, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 571748 Sample: Presupuesto proyecto P3787-... Startdate: 14/02/2022 Architecture: WINDOWS Score: 100 25 kapasky-antivirus.firewall-gateway.net 2->25 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 6 other signatures 2->37 9 Presupuesto proyecto P3787-SHN Barcelona.pdf.exe 19 2->9         started        signatures3 process4 file5 21 C:\Users\user\AppData\Local\...\onhaomfun.exe, PE32 9->21 dropped 12 onhaomfun.exe 9->12         started        process6 process7 14 onhaomfun.exe 1 1 12->14         started        signatures8 39 Changes security center settings (notifications, updates, antivirus, firewall) 14->39 41 Disables user account control notifications 14->41 43 Disables UAC (registry) 14->43 45 Sample uses process hollowing technique 14->45 17 iexplore.exe 3 9 14->17         started        process9 dnsIp10 23 kapasky-antivirus.firewall-gateway.net 212.193.30.119, 4000, 49748, 49749 SPD-NETTR Russian Federation 17->23 27 Creates an undocumented autostart registry key 17->27 29 Creates autostart registry keys with suspicious names 17->29 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.193.30.119
 kapasky-antivirus.firewall-gateway.net Russian Federation
57844 SPD-NETTR true

Contacted Domains

Name IP Active
kapasky-antivirus.firewall-gateway.net 212.193.30.119 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
kapasky-antivirus.firewall-gateway.net:4000 true
  • Avira URL Cloud: malware
 unknown