Windows Analysis Report
autorunme.exe

Overview

General Information

Sample Name:	autorunme.exe
Analysis ID:	831239
MD5:	3810427719d0c6be5a04ddb70274ed7e
SHA1:	f50d9692be4e9a4d60b93c48e4208f41d3c5703b
SHA256:	2e4ef7c4508fd2d0049a46d413dcb1fe833bead8b3a2cb5fe1346d428f529de9
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Found evasive API chain (may stop execution after checking mutex)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Drops executables to the windows directory (C:\Windows) and starts them

PE file contains section with special chars

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

May infect USB drives

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: autorunme.exe	ReversingLabs: Detection: 90%
Source: autorunme.exe	Virustotal: Detection: 82%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: autorunme.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\System.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Windows\System.exe	ReversingLabs: Detection: 90%
Source: C:\Windows\System.exe	Virustotal: Detection: 82%			Perma Link

Machine Learning detection for sample

Source: autorunme.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Windows\System.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.3.autorunme.exe.7293b4.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.3.autorunme.exe.7293b4.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.3.System.exe.526324.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 1.0.autorunme.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.0.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.3.System.exe.526324.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.3.System.exe.526324.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.5.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.2.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 3.0.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.0.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.3.System.exe.4a2a3c.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.3.System.exe.526324.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.2.autorunme.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.0.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.3.System.exe.526324.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.autorunme.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.5.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen3

Uses 32bit PE files

Source: autorunme.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

May infect USB drives

Source: autorunme.exe	Binary or memory string: autorun] [autorun[ [autorun] open=
Source: autorunme.exe	Binary or memory string: \AutORUN.inf
Source: autorunme.exe	Binary or memory string: autorun][autorun[[autorun]open=
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: \AutORUN.inf
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: shell\\Explore\\Command=\AutORUN.inf
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: System.exe	Binary or memory string: autorun] [autorun[ [autorun] open=
Source: System.exe	Binary or memory string: \AutORUN.inf
Source: System.exe	Binary or memory string: autorun][autorun[[autorun]open=
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: \AutORUN.inf
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: shell\\Explore\\Command=\AutORUN.inf
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: \AutORUN.inf
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: shell\\Explore\\Command=\AutORUN.inf
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_00401AE0 Sleep,GetLogicalDriveStringsA,GetDriveTypeA,

1_2_00401AE0

Source: unknown

DNS traffic detected: queries for: basicsk8r13.no-ip.info

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_00401000 strncpy,strncpy,InternetOpenUrlA,CreateFileA,InternetCloseHandle,RtlExitUserThread,GetTickCount,malloc,memset,InternetReadFile,WriteFile,memcpy,GetTickCount,??3@YAXPAX@Z,CloseHandle,InternetCloseHandle,strncpy,PathRemoveFileSpecA,GetLastError,memset,memset,CreateProcessA,GetLastError,GetTickCount,WaitForSingleObject,GetTickCount,sprintf,_mbscat,sprintf,_mbscat,CloseHandle,CloseHandle,memset,memset,CreateProcessA,Sleep,WSACleanup,ExitProcess,GetLastError,RtlExitUserThread,

1_2_00401000

System Summary

PE file contains section with special chars

Source: autorunme.exe	Static PE information: section name: .cym
Source: System.exe.1.dr	Static PE information: section name: .cym

Uses 32bit PE files

Source: autorunme.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Creates files inside the system directory

Source: C:\Users\user\Desktop\autorunme.exe

File created: C:\Windows\System.exe

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\autorunme.exe	Code function: 1_2_00401000		1_2_00401000
Source: C:\Windows\System.exe	Code function: 3_2_00401000		3_2_00401000

Contains functionality to call native functions

Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006F21BE NtWriteVirtualMemory,	0_3_006F21BE
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006F21BE NtWriteVirtualMemory,	0_3_006F21BE
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006F21BE NtWriteVirtualMemory,	0_3_006F21BE
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006F21BE NtWriteVirtualMemory,	0_3_006F21BE

Sample file is different than original file name gathered from version info

Source: autorunme.exe, 00000000.00000003.256427599.00000000006D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.256427599.0000000000704000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.256024191.0000000000761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.256876028.0000000000738000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000002.257617519.0000000000407000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.251036505.00000000006EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000001.00000003.256748734.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000001.00000000.256207976.0000000000407000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe

Source: autorunme.exe	ReversingLabs: Detection: 90%
Source: autorunme.exe	Virustotal: Detection: 82%

Source: C:\Users\user\Desktop\autorunme.exe

File read: C:\Users\user\Desktop\autorunme.exe

Jump to behavior

Source: autorunme.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\autorunme.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\autorunme.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\System.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\System.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe
Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe
Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe
Source: unknown	Process created: C:\Windows\System.exe "C:\Windows\System.exe"
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe
Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe	Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior

Source: C:\Users\user\Desktop\autorunme.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@10/2@674/1

Source: C:\Windows\System.exe

Mutant created: \Sessions\1\BaseNamedObjects\tbYfOPSWsbgXvrx

Source: C:\Windows\System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006ECAAC push eax; retf	0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006ECAAC push eax; retf	0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006EC70E push esp; retf 006Eh	0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006EC70E push esp; retf 006Eh	0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006FB5F1 push esp; iretd	0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006FB5F1 push esp; iretd	0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006ECAAC push eax; retf	0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006ECAAC push eax; retf	0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006EC70E push esp; retf 006Eh	0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006EC70E push esp; retf 006Eh	0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006FB5F1 push esp; iretd	0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006FB5F1 push esp; iretd	0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_0040194C push 004010D8h; ret	0_2_0040195F
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_00401960 push 004010D8h; ret	0_2_00401973
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_00401974 push 004010D8h; ret	0_2_00401987
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_00401A00 push 004010D8h; ret	0_2_00401A13
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_00401935 push 004010D8h; ret	0_2_0040194B
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_004019C4 push 004010D8h; ret	0_2_004019D7
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_004019D8 push 004010D8h; ret	0_2_004019EB
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_004019EC push 004010D8h; ret	0_2_004019FF
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_00401988 push 004010D8h; ret	0_2_0040199B
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_0040199C push 004010D8h; ret	0_2_004019AF
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_004019B0 push 004010D8h; ret	0_2_004019C3
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 1_2_004008F1 push D95D7B28h; iretd	1_2_004008FA
Source: C:\Windows\System.exe	Code function: 3_2_004008F1 push D95D7B28h; iretd	3_2_004008FA

PE file contains sections with non-standard names

Source: autorunme.exe	Static PE information: section name: .cym
Source: System.exe.1.dr	Static PE information: section name: .cym

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_0044D850 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_0044D850

PE file contains an invalid checksum

Source: autorunme.exe	Static PE information: real checksum: 0xc346 should be: 0x19581
Source: System.exe.1.dr	Static PE information: real checksum: 0xc346 should be: 0x19581

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System.exe

Executable created and started: C:\Windows\System.exe

Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\autorunme.exe

File created: C:\Windows\System.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\autorunme.exe

File created: C:\Windows\System.exe

Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_00403BBB GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00403BBB

Source: C:\Users\user\Desktop\autorunme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\autorunme.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\System.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: autorunme.exe, System.exe.1.dr	Binary or memory string: SBIEDLL.DLL
Source: autorunme.exe, 00000000.00000002.257784714.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257178763.00000000006C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLR
Source: autorunme.exe, 00000000.00000002.257869507.000000000071C000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.256427599.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257023103.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257140632.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257260493.000000000071C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL\

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\autorunme.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System.exe TID: 1412	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Windows\System.exe TID: 1412	Thread sleep time: -552000s >= -30000s	Jump to behavior
Source: C:\Windows\System.exe TID: 908	Thread sleep time: -210000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System.exe	Last function: Thread delayed
Source: C:\Windows\System.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_00401AE0 Sleep,GetLogicalDriveStringsA,GetDriveTypeA,

1_2_00401AE0

Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe	API call chain: ExitProcess graph end node

Source: autorunme.exe, System.exe, 00000004.00000002.294677675.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, System.exe, 00000004.00000003.294208466.00000000004C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU
Source: autorunme.exe, 00000000.00000003.257178763.00000000006C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWAREject
Source: System.exe, 00000004.00000003.294208466.00000000004C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARErity
Source: autorunme.exe, System.exe.1.dr	Binary or memory string: QEMU.55274-339-6006333-22900.76487-OEM-0065901-82986
Source: System.exe.1.dr	Binary or memory string: VMWARE
Source: autorunme.exe, 00000000.00000002.257784714.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257178763.00000000006C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMUc6
Source: autorunme.exe, 00000000.00000002.257869507.000000000071C000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.256427599.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257023103.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257140632.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257260493.000000000071C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMUopertya
Source: autorunme.exe, 00000000.00000003.257260493.000000000071C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARErityk
Source: autorunme.exe, 00000001.00000003.257384115.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_0044D850 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_0044D850

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\autorunme.exe

Memory written: C:\Users\user\Desktop\autorunme.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe	Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\autorunme.exe	Code function: memset,memset,memset,GetVersionExA,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,_mbscat,	1_2_0040375C
Source: C:\Users\user\Desktop\autorunme.exe	Code function: memset,GetLocaleInfoA,sprintf,strlen,rand,	1_2_004036D5
Source: C:\Users\user\Desktop\autorunme.exe	Code function: memset,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,	1_2_004039BA
Source: C:\Windows\System.exe	Code function: memset,memset,memset,GetVersionExA,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,_mbscat,	3_2_0040375C
Source: C:\Windows\System.exe	Code function: memset,GetLocaleInfoA,sprintf,strlen,rand,	3_2_004036D5
Source: C:\Windows\System.exe	Code function: memset,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,	3_2_004039BA

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_0040375C memset,memset,memset,GetVersionExA,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,_mbscat,

1_2_0040375C

Stealing of Sensitive Information

Yara detected Generic Dropper

Source: Yara match

File source: Process Memory Space: autorunme.exe PID: 5992, type: MEMORYSTR

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
basicsk8r13.no-ip.info	unknown	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: autorunme.exe	ReversingLabs: Detection: 90%
Source: autorunme.exe	Virustotal: Detection: 82%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: autorunme.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\System.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Windows\System.exe	ReversingLabs: Detection: 90%
Source: C:\Windows\System.exe	Virustotal: Detection: 82%			Perma Link

Machine Learning detection for sample

Source: autorunme.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Windows\System.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.3.autorunme.exe.7293b4.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.3.autorunme.exe.7293b4.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.3.System.exe.526324.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 1.0.autorunme.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.0.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.2.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.3.System.exe.526324.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.3.System.exe.526324.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.5.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.2.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 3.0.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.0.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.3.System.exe.4a2a3c.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.3.System.exe.526324.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.2.autorunme.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 10.0.System.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.3.System.exe.526324.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.autorunme.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.5.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen3

Uses 32bit PE files

Source: autorunme.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

May infect USB drives

Source: autorunme.exe	Binary or memory string: autorun] [autorun[ [autorun] open=
Source: autorunme.exe	Binary or memory string: \AutORUN.inf
Source: autorunme.exe	Binary or memory string: autorun][autorun[[autorun]open=
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: \AutORUN.inf
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: shell\\Explore\\Command=\AutORUN.inf
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: System.exe	Binary or memory string: autorun] [autorun[ [autorun] open=
Source: System.exe	Binary or memory string: \AutORUN.inf
Source: System.exe	Binary or memory string: autorun][autorun[[autorun]open=
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: \AutORUN.inf
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: shell\\Explore\\Command=\AutORUN.inf
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: \AutORUN.inf
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: shell\\Explore\\Command=\AutORUN.inf
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_00401AE0 Sleep,GetLogicalDriveStringsA,GetDriveTypeA,

1_2_00401AE0

Source: unknown

DNS traffic detected: queries for: basicsk8r13.no-ip.info

Source: C:\Users\user\Desktop\autorunme.exe

1_2_00401000

System Summary

PE file contains section with special chars

Source: autorunme.exe	Static PE information: section name: .cym
Source: System.exe.1.dr	Static PE information: section name: .cym

Uses 32bit PE files

Source: autorunme.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Creates files inside the system directory

Source: C:\Users\user\Desktop\autorunme.exe

File created: C:\Windows\System.exe

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\autorunme.exe	Code function: 1_2_00401000		1_2_00401000
Source: C:\Windows\System.exe	Code function: 3_2_00401000		3_2_00401000

Contains functionality to call native functions

Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006F21BE NtWriteVirtualMemory,	0_3_006F21BE
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006F21BE NtWriteVirtualMemory,	0_3_006F21BE
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006F21BE NtWriteVirtualMemory,	0_3_006F21BE
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006F21BE NtWriteVirtualMemory,	0_3_006F21BE

Sample file is different than original file name gathered from version info

Source: autorunme.exe, 00000000.00000003.256427599.00000000006D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.256427599.0000000000704000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.256024191.0000000000761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.256876028.0000000000738000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000002.257617519.0000000000407000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.251036505.00000000006EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000001.00000003.256748734.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000001.00000000.256207976.0000000000407000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe	Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe

Source: autorunme.exe	ReversingLabs: Detection: 90%
Source: autorunme.exe	Virustotal: Detection: 82%

Source: C:\Users\user\Desktop\autorunme.exe

File read: C:\Users\user\Desktop\autorunme.exe

Jump to behavior

Source: autorunme.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\autorunme.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\autorunme.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\System.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\System.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe
Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe
Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe
Source: unknown	Process created: C:\Windows\System.exe "C:\Windows\System.exe"
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe
Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe	Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior

Source: C:\Users\user\Desktop\autorunme.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@10/2@674/1

Source: C:\Windows\System.exe

Mutant created: \Sessions\1\BaseNamedObjects\tbYfOPSWsbgXvrx

Source: C:\Windows\System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006ECAAC push eax; retf	0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006ECAAC push eax; retf	0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006EC70E push esp; retf 006Eh	0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006EC70E push esp; retf 006Eh	0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006FB5F1 push esp; iretd	0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006FB5F1 push esp; iretd	0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006ECAAC push eax; retf	0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006ECAAC push eax; retf	0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006EC70E push esp; retf 006Eh	0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006EC70E push esp; retf 006Eh	0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006FB5F1 push esp; iretd	0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_3_006FB5F1 push esp; iretd	0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_0040194C push 004010D8h; ret	0_2_0040195F
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_00401960 push 004010D8h; ret	0_2_00401973
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_00401974 push 004010D8h; ret	0_2_00401987
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_00401A00 push 004010D8h; ret	0_2_00401A13
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_00401935 push 004010D8h; ret	0_2_0040194B
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_004019C4 push 004010D8h; ret	0_2_004019D7
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_004019D8 push 004010D8h; ret	0_2_004019EB
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_004019EC push 004010D8h; ret	0_2_004019FF
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_00401988 push 004010D8h; ret	0_2_0040199B
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_0040199C push 004010D8h; ret	0_2_004019AF
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 0_2_004019B0 push 004010D8h; ret	0_2_004019C3
Source: C:\Users\user\Desktop\autorunme.exe	Code function: 1_2_004008F1 push D95D7B28h; iretd	1_2_004008FA
Source: C:\Windows\System.exe	Code function: 3_2_004008F1 push D95D7B28h; iretd	3_2_004008FA

PE file contains sections with non-standard names

Source: autorunme.exe	Static PE information: section name: .cym
Source: System.exe.1.dr	Static PE information: section name: .cym

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_0044D850 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_0044D850

PE file contains an invalid checksum

Source: autorunme.exe	Static PE information: real checksum: 0xc346 should be: 0x19581
Source: System.exe.1.dr	Static PE information: real checksum: 0xc346 should be: 0x19581

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System.exe

Executable created and started: C:\Windows\System.exe

Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\autorunme.exe

File created: C:\Windows\System.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\autorunme.exe

File created: C:\Windows\System.exe

Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\autorunme.exe

1_2_00403BBB

Source: C:\Users\user\Desktop\autorunme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\autorunme.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\System.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: autorunme.exe, System.exe.1.dr	Binary or memory string: SBIEDLL.DLL
Source: autorunme.exe, 00000000.00000002.257784714.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257178763.00000000006C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLR
Source: autorunme.exe, 00000000.00000002.257869507.000000000071C000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.256427599.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257023103.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257140632.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257260493.000000000071C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL\

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\autorunme.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System.exe TID: 1412	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Windows\System.exe TID: 1412	Thread sleep time: -552000s >= -30000s	Jump to behavior
Source: C:\Windows\System.exe TID: 908	Thread sleep time: -210000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System.exe	Last function: Thread delayed
Source: C:\Windows\System.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_00401AE0 Sleep,GetLogicalDriveStringsA,GetDriveTypeA,

1_2_00401AE0

Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe	API call chain: ExitProcess graph end node

Source: autorunme.exe, System.exe, 00000004.00000002.294677675.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, System.exe, 00000004.00000003.294208466.00000000004C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU
Source: autorunme.exe, 00000000.00000003.257178763.00000000006C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWAREject
Source: System.exe, 00000004.00000003.294208466.00000000004C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARErity
Source: autorunme.exe, System.exe.1.dr	Binary or memory string: QEMU.55274-339-6006333-22900.76487-OEM-0065901-82986
Source: System.exe.1.dr	Binary or memory string: VMWARE
Source: autorunme.exe, 00000000.00000002.257784714.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257178763.00000000006C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMUc6
Source: autorunme.exe, 00000000.00000002.257869507.000000000071C000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.256427599.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257023103.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257140632.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257260493.000000000071C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMUopertya
Source: autorunme.exe, 00000000.00000003.257260493.000000000071C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARErityk
Source: autorunme.exe, 00000001.00000003.257384115.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_0044D850 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_0044D850

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\autorunme.exe

Memory written: C:\Users\user\Desktop\autorunme.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe	Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior
Source: C:\Windows\System.exe	Process created: C:\Windows\System.exe C:\Windows\System.exe	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\autorunme.exe	Code function: memset,memset,memset,GetVersionExA,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,_mbscat,	1_2_0040375C
Source: C:\Users\user\Desktop\autorunme.exe	Code function: memset,GetLocaleInfoA,sprintf,strlen,rand,	1_2_004036D5
Source: C:\Users\user\Desktop\autorunme.exe	Code function: memset,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,	1_2_004039BA
Source: C:\Windows\System.exe	Code function: memset,memset,memset,GetVersionExA,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,_mbscat,	3_2_0040375C
Source: C:\Windows\System.exe	Code function: memset,GetLocaleInfoA,sprintf,strlen,rand,	3_2_004036D5
Source: C:\Windows\System.exe	Code function: memset,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,	3_2_004039BA

Source: C:\Users\user\Desktop\autorunme.exe

Code function: 1_2_0040375C memset,memset,memset,GetVersionExA,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,_mbscat,

1_2_0040375C

Stealing of Sensitive Information

Yara detected Generic Dropper

Source: Yara match

File source: Process Memory Space: autorunme.exe PID: 5992, type: MEMORYSTR

ID:	831239
Product:	CloudBasic
Start time:	10:36:33
Start date:	21.03.2023
Sample:	autorunme.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	3810427719d0c6be5a04ddb70274ed7e
SHA1:	f50d9692be4e9a4d60b93c48e4208f41d3c5703b
SHA256:	2e4ef7c4508fd2d0049a46d413dcb1fe833bead8b3a2cb5fe1346d428f529de9
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\Windows\System.exe	PE32 executable (GUI) Intel 80386, for MS Windows	3810427719D0C6BE5A04DDB70274ED7E	F50D9692BE4E9A4D60B93C48E4208F41D3C5703B	2E4EF7C4508FD2D0049A46D413DCB1FE833BEAD8B3A2CB5FE1346D428F529DE9
C:\Windows\System.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
autorunme.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report autorunme.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
autorunme.exe