Windows Analysis Report
autorunme.exe

Overview

General Information

Sample Name: autorunme.exe
Analysis ID: 831239
MD5: 3810427719d0c6be5a04ddb70274ed7e
SHA1: f50d9692be4e9a4d60b93c48e4208f41d3c5703b
SHA256: 2e4ef7c4508fd2d0049a46d413dcb1fe833bead8b3a2cb5fe1346d428f529de9
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Found evasive API chain (may stop execution after checking mutex)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
PE file contains section with special chars
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection

barindex
Source: autorunme.exe ReversingLabs: Detection: 90%
Source: autorunme.exe Virustotal: Detection: 82% Perma Link
Source: autorunme.exe Avira: detected
Source: C:\Windows\System.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\System.exe ReversingLabs: Detection: 90%
Source: C:\Windows\System.exe Virustotal: Detection: 82% Perma Link
Source: autorunme.exe Joe Sandbox ML: detected
Source: C:\Windows\System.exe Joe Sandbox ML: detected
Source: 0.3.autorunme.exe.7293b4.1.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.3.autorunme.exe.7293b4.2.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.1.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.3.System.exe.526324.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 1.0.autorunme.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.4.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.0.System.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 4.2.System.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 2.3.System.exe.526324.4.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.3.System.exe.526324.2.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.5.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.4.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.2.System.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 3.0.System.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.3.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.0.System.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 4.3.System.exe.4a2a3c.3.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.3.System.exe.526324.1.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.2.autorunme.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 10.0.System.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 2.3.System.exe.526324.3.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.autorunme.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.3.autorunme.exe.7293b4.5.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 4.3.System.exe.4a2a3c.2.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: autorunme.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: autorunme.exe Binary or memory string: autorun] [autorun[ [autorun] open=
Source: autorunme.exe Binary or memory string: \AutORUN.inf
Source: autorunme.exe Binary or memory string: autorun][autorun[[autorun]open=
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: \AutORUN.inf
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: shell\\Explore\\Command=\AutORUN.inf
Source: autorunme.exe, 00000001.00000002.257561239.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: System.exe Binary or memory string: autorun] [autorun[ [autorun] open=
Source: System.exe Binary or memory string: \AutORUN.inf
Source: System.exe Binary or memory string: autorun][autorun[[autorun]open=
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: \AutORUN.inf
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: shell\\Explore\\Command=\AutORUN.inf
Source: System.exe, 00000003.00000002.519537230.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: \AutORUN.inf
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: shell\\Explore\\Command=\AutORUN.inf
Source: System.exe, 0000000A.00000002.294006105.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: C:\Users\user\Desktop\autorunme.exe Code function: 1_2_00401AE0 Sleep,GetLogicalDriveStringsA,GetDriveTypeA, 1_2_00401AE0
Source: unknown DNS traffic detected: queries for: basicsk8r13.no-ip.info
Source: C:\Users\user\Desktop\autorunme.exe Code function: 1_2_00401000 strncpy,strncpy,InternetOpenUrlA,CreateFileA,InternetCloseHandle,RtlExitUserThread,GetTickCount,malloc,memset,InternetReadFile,WriteFile,memcpy,GetTickCount,??3@YAXPAX@Z,CloseHandle,InternetCloseHandle,strncpy,PathRemoveFileSpecA,GetLastError,memset,memset,CreateProcessA,GetLastError,GetTickCount,WaitForSingleObject,GetTickCount,sprintf,_mbscat,sprintf,_mbscat,CloseHandle,CloseHandle,memset,memset,CreateProcessA,Sleep,WSACleanup,ExitProcess,GetLastError,RtlExitUserThread, 1_2_00401000

System Summary

barindex
Source: autorunme.exe Static PE information: section name: .cym
Source: System.exe.1.dr Static PE information: section name: .cym
Source: autorunme.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\autorunme.exe File created: C:\Windows\System.exe Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe Code function: 1_2_00401000 1_2_00401000
Source: C:\Windows\System.exe Code function: 3_2_00401000 3_2_00401000
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006F21BE NtWriteVirtualMemory, 0_3_006F21BE
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006F21BE NtWriteVirtualMemory, 0_3_006F21BE
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006F21BE NtWriteVirtualMemory, 0_3_006F21BE
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006F21BE NtWriteVirtualMemory, 0_3_006F21BE
Source: autorunme.exe, 00000000.00000003.256427599.00000000006D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.256427599.0000000000704000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.256024191.0000000000761000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.256876028.0000000000738000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000002.257617519.0000000000407000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000000.00000003.251036505.00000000006EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000001.00000003.256748734.00000000007D7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe, 00000001.00000000.256207976.0000000000407000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe Binary or memory string: OriginalFilenameeHKHLlYIWVkqlHEQ.exe vs autorunme.exe
Source: autorunme.exe ReversingLabs: Detection: 90%
Source: autorunme.exe Virustotal: Detection: 82%
Source: C:\Users\user\Desktop\autorunme.exe File read: C:\Users\user\Desktop\autorunme.exe Jump to behavior
Source: autorunme.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\autorunme.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\System.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\System.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe
Source: C:\Users\user\Desktop\autorunme.exe Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe
Source: C:\Users\user\Desktop\autorunme.exe Process created: C:\Windows\System.exe C:\Windows\System.exe
Source: C:\Windows\System.exe Process created: C:\Windows\System.exe C:\Windows\System.exe
Source: unknown Process created: C:\Windows\System.exe "C:\Windows\System.exe"
Source: C:\Windows\System.exe Process created: C:\Windows\System.exe C:\Windows\System.exe
Source: C:\Users\user\Desktop\autorunme.exe Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe Process created: C:\Windows\System.exe C:\Windows\System.exe Jump to behavior
Source: C:\Windows\System.exe Process created: C:\Windows\System.exe C:\Windows\System.exe Jump to behavior
Source: C:\Windows\System.exe Process created: C:\Windows\System.exe C:\Windows\System.exe Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.spyw.evad.winEXE@10/2@674/1
Source: C:\Windows\System.exe Mutant created: \Sessions\1\BaseNamedObjects\tbYfOPSWsbgXvrx
Source: C:\Windows\System.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006ECAAC push eax; retf 0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006ECAAC push eax; retf 0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006EC70E push esp; retf 006Eh 0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006EC70E push esp; retf 006Eh 0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006FB5F1 push esp; iretd 0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006FB5F1 push esp; iretd 0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006ECAAC push eax; retf 0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006ECAAC push eax; retf 0_3_006ECAFD
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006EC70E push esp; retf 006Eh 0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006EC70E push esp; retf 006Eh 0_3_006ECA01
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006FB5F1 push esp; iretd 0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_3_006FB5F1 push esp; iretd 0_3_006FB5F2
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_2_0040194C push 004010D8h; ret 0_2_0040195F
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_2_00401960 push 004010D8h; ret 0_2_00401973
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_2_00401974 push 004010D8h; ret 0_2_00401987
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_2_00401A00 push 004010D8h; ret 0_2_00401A13
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_2_00401935 push 004010D8h; ret 0_2_0040194B
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_2_004019C4 push 004010D8h; ret 0_2_004019D7
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_2_004019D8 push 004010D8h; ret 0_2_004019EB
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_2_004019EC push 004010D8h; ret 0_2_004019FF
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_2_00401988 push 004010D8h; ret 0_2_0040199B
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_2_0040199C push 004010D8h; ret 0_2_004019AF
Source: C:\Users\user\Desktop\autorunme.exe Code function: 0_2_004019B0 push 004010D8h; ret 0_2_004019C3
Source: C:\Users\user\Desktop\autorunme.exe Code function: 1_2_004008F1 push D95D7B28h; iretd 1_2_004008FA
Source: C:\Windows\System.exe Code function: 3_2_004008F1 push D95D7B28h; iretd 3_2_004008FA
Source: autorunme.exe Static PE information: section name: .cym
Source: System.exe.1.dr Static PE information: section name: .cym
Source: C:\Users\user\Desktop\autorunme.exe Code function: 1_2_0044D850 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 1_2_0044D850
Source: autorunme.exe Static PE information: real checksum: 0xc346 should be: 0x19581
Source: System.exe.1.dr Static PE information: real checksum: 0xc346 should be: 0x19581

Persistence and Installation Behavior

barindex
Source: C:\Windows\System.exe Executable created and started: C:\Windows\System.exe Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe File created: C:\Windows\System.exe Jump to dropped file
Source: C:\Users\user\Desktop\autorunme.exe File created: C:\Windows\System.exe Jump to dropped file
Source: C:\Users\user\Desktop\autorunme.exe Code function: 1_2_00403BBB GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetOpenA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00403BBB
Source: C:\Users\user\Desktop\autorunme.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\autorunme.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\System.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: autorunme.exe, System.exe.1.dr Binary or memory string: SBIEDLL.DLL
Source: autorunme.exe, 00000000.00000002.257784714.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257178763.00000000006C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLLR
Source: autorunme.exe, 00000000.00000002.257869507.000000000071C000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.256427599.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257023103.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257140632.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257260493.000000000071C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL\
Source: C:\Users\user\Desktop\autorunme.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\System.exe TID: 1412 Thread sleep count: 46 > 30 Jump to behavior
Source: C:\Windows\System.exe TID: 1412 Thread sleep time: -552000s >= -30000s Jump to behavior
Source: C:\Windows\System.exe TID: 908 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Windows\System.exe Last function: Thread delayed
Source: C:\Windows\System.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\autorunme.exe Code function: 1_2_00401AE0 Sleep,GetLogicalDriveStringsA,GetDriveTypeA, 1_2_00401AE0
Source: C:\Users\user\Desktop\autorunme.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\autorunme.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System.exe API call chain: ExitProcess graph end node
Source: autorunme.exe, System.exe, 00000004.00000002.294677675.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, System.exe, 00000004.00000003.294208466.00000000004C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *QEMU*
Source: autorunme.exe, 00000000.00000003.257178763.00000000006C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *VMWARE*ject
Source: System.exe, 00000004.00000003.294208466.00000000004C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *VMWARE*rity
Source: autorunme.exe, System.exe.1.dr Binary or memory string: *QEMU*.55274-339-6006333-22900.76487-OEM-0065901-82986
Source: System.exe.1.dr Binary or memory string: *VMWARE*
Source: autorunme.exe, 00000000.00000002.257784714.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257178763.00000000006C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *QEMU*c6
Source: autorunme.exe, 00000000.00000002.257869507.000000000071C000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.256427599.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257023103.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257140632.0000000000716000.00000004.00000020.00020000.00000000.sdmp, autorunme.exe, 00000000.00000003.257260493.000000000071C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *QEMU*opertya
Source: autorunme.exe, 00000000.00000003.257260493.000000000071C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *VMWARE*rityk
Source: autorunme.exe, 00000001.00000003.257384115.00000000007BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\autorunme.exe Code function: 1_2_0044D850 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 1_2_0044D850

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\autorunme.exe Memory written: C:\Users\user\Desktop\autorunme.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe Process created: C:\Users\user\Desktop\autorunme.exe C:\Users\user\Desktop\autorunme.exe Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe Process created: C:\Windows\System.exe C:\Windows\System.exe Jump to behavior
Source: C:\Windows\System.exe Process created: C:\Windows\System.exe C:\Windows\System.exe Jump to behavior
Source: C:\Windows\System.exe Process created: C:\Windows\System.exe C:\Windows\System.exe Jump to behavior
Source: C:\Users\user\Desktop\autorunme.exe Code function: memset,memset,memset,GetVersionExA,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,_mbscat, 1_2_0040375C
Source: C:\Users\user\Desktop\autorunme.exe Code function: memset,GetLocaleInfoA,sprintf,strlen,rand, 1_2_004036D5
Source: C:\Users\user\Desktop\autorunme.exe Code function: memset,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat, 1_2_004039BA
Source: C:\Windows\System.exe Code function: memset,memset,memset,GetVersionExA,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,_mbscat, 3_2_0040375C
Source: C:\Windows\System.exe Code function: memset,GetLocaleInfoA,sprintf,strlen,rand, 3_2_004036D5
Source: C:\Windows\System.exe Code function: memset,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat, 3_2_004039BA
Source: C:\Users\user\Desktop\autorunme.exe Code function: 1_2_0040375C memset,memset,memset,GetVersionExA,GetLocaleInfoA,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,rand,sprintf,_mbscat,_mbscat, 1_2_0040375C

Stealing of Sensitive Information

barindex
Source: Yara match File source: Process Memory Space: autorunme.exe PID: 5992, type: MEMORYSTR