Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.8% probability |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then push rbp |
0_2_000000014001E0F0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 4x nop then lea rcx, qword ptr [0000000140021051h] |
0_2_0000000140011F60 |
Source: file.exe |
String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01 |
Source: file.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: file.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 |
Source: file.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: file.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: file.exe |
String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: file.exe |
String found in binary or memory: http://crl.entrust.net/ts1ca.crl0 |
Source: file.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: file.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S |
Source: file.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: file.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: file.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0= |
Source: file.exe |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: file.exe |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: file.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: file.exe |
String found in binary or memory: http://ocsp.digicert.com0X |
Source: file.exe |
String found in binary or memory: http://ocsp.entrust.net02 |
Source: file.exe |
String found in binary or memory: http://ocsp.entrust.net03 |
Source: file.exe |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: file.exe |
String found in binary or memory: http://www.entrust.net/rpa03 |
Source: file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://gcc.gnu.org/bugs/): |
Source: file.exe |
String found in binary or memory: https://www.entrust.net/rpa0 |
Source: file.exe, type: SAMPLE |
Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 0.2.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 0.0.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 0.0.file.exe.140000000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 0.2.file.exe.140000000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 00000000.00000000.2045918617.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0000000140012926 |
0_2_0000000140012926 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00000001400060F8 |
0_2_00000001400060F8 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0000000140012155 |
0_2_0000000140012155 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_000000014001E3AF |
0_2_000000014001E3AF |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00000001400093C0 |
0_2_00000001400093C0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00000001400044D8 |
0_2_00000001400044D8 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0000000140005797 |
0_2_0000000140005797 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0000000140014EB0 |
0_2_0000000140014EB0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0000000140003ED0 |
0_2_0000000140003ED0 |
Source: file.exe, type: SAMPLE |
Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 0.2.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 0.0.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 0.0.file.exe.140000000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 0.2.file.exe.140000000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 00000000.00000000.2045918617.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: classification engine |
Classification label: mal64.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\file.exe |
Mutant created: \Sessions\1\BaseNamedObjects\cdf89ae526ad4cbd86c91c09eed01dbb |
Source: C:\Users\user\Desktop\file.exe |
File created: c:\Users\user\AppData\Local\Temp\setupF0B.tmp |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File read: C:\Users\user\Desktop\file.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: file.exe |
Static file information: File size 5800616 > 1048576 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_000000014000D0C5 push rdi; ret |
0_2_000000014000D0C6 |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: AUTORUNSC.EXE |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: AUTORUNSC.EXEZ |
Source: file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: WIRESHARK.EXE[, |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: DUMPCAP.EXEZ |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: TCPDUMP.EXE |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: TCPDUMP.EXE{ |
Source: file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: XENSERVICE.EXEW, |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: XENSERVICE.EXE |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: DUMPCAP.EXE |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: WIRESHARK.EXE |
Source: C:\Users\user\Desktop\file.exe |
API coverage: 0.5 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: vboxtray.exe |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: qemu-ga`Y |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: vboxtray.exe` |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: vmwareuser.exe |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: qemu-ga |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: vmwaretray.exe |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vmwareuser.exeZ |
Source: file.exe, file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: QEMU HARDDISK |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: qemu-gaz |
Source: file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: Stop reversing the programReconsider your life choicesAnd go touch some grassbasic_string::append\\.\PhysicalDrive0DADY HARDDISKQEMU HARDDISKbasic_string: construction from null is not valid |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: vboxservice.exe@ |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: vboxservice.exe |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vboxservice.exe{ |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vmwaretray.exe{ |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: vboxtray.exe{ |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0000000140033E66 RtlAddVectoredExceptionHandler, |
0_2_0000000140033E66 |
Source: C:\Users\user\Desktop\file.exe |
NtProtectVirtualMemory: Direct from: 0x14009F39D |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtProtectVirtualMemory: Direct from: 0x1400E8171 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtOpenSection: Indirect: 0x1401CB085 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtProtectVirtualMemory: Direct from: 0x140057AC0 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtQueryAttributesFile: Indirect: 0x1401CB96F |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtTerminateProcess: Indirect: 0x1401CACCC |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtProtectVirtualMemory: Direct from: 0x14005CC8A |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtClose: Indirect: 0x1401CB606 |
|
Source: C:\Users\user\Desktop\file.exe |
NtProtectVirtualMemory: Direct from: 0x140069067 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtProtectVirtualMemory: Direct from: 0x1400E385B |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtProtectVirtualMemory: Direct from: 0x1400DCB84 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtOpenKey: Indirect: 0x1401CA475 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtProtectVirtualMemory: Direct from: 0x1400E7F74 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtUnmapViewOfSection: Indirect: 0x1401CB3DF |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
NtProtectVirtualMemory: Indirect: 0x1401CCBD7 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_000000014001B3C0 cpuid |
0_2_000000014001B3C0 |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: wireshark.exe |