Click to jump to signature section
Source: Submited Sample | Integrated Neural Analysis Model: Matched 99.8% probability |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then push rbp | 0_2_000000014001E0F0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 4x nop then lea rcx, qword ptr [0000000140021051h] | 0_2_0000000140011F60 |
Source: file.exe | String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01 |
Source: file.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: file.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 |
Source: file.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: file.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: file.exe | String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: file.exe | String found in binary or memory: http://crl.entrust.net/ts1ca.crl0 |
Source: file.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: file.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S |
Source: file.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: file.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: file.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0= |
Source: file.exe | String found in binary or memory: http://ocsp.digicert.com0 |
Source: file.exe | String found in binary or memory: http://ocsp.digicert.com0A |
Source: file.exe | String found in binary or memory: http://ocsp.digicert.com0C |
Source: file.exe | String found in binary or memory: http://ocsp.digicert.com0X |
Source: file.exe | String found in binary or memory: http://ocsp.entrust.net02 |
Source: file.exe | String found in binary or memory: http://ocsp.entrust.net03 |
Source: file.exe | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: file.exe | String found in binary or memory: http://www.entrust.net/rpa03 |
Source: file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: https://gcc.gnu.org/bugs/): |
Source: file.exe | String found in binary or memory: https://www.entrust.net/rpa0 |
Source: file.exe, type: SAMPLE | Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 0.2.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 0.0.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 0.0.file.exe.140000000.0.unpack, type: UNPACKEDPE | Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 0.2.file.exe.140000000.0.unpack, type: UNPACKEDPE | Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 00000000.00000000.2045918617.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detects executables packed with Enigma Author: ditekSHen |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0000000140012926 | 0_2_0000000140012926 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00000001400060F8 | 0_2_00000001400060F8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0000000140012155 | 0_2_0000000140012155 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_000000014001E3AF | 0_2_000000014001E3AF |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00000001400093C0 | 0_2_00000001400093C0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00000001400044D8 | 0_2_00000001400044D8 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0000000140005797 | 0_2_0000000140005797 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0000000140014EB0 | 0_2_0000000140014EB0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0000000140003ED0 | 0_2_0000000140003ED0 |
Source: file.exe, type: SAMPLE | Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 0.2.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 0.0.file.exe.140000000.0.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 0.0.file.exe.140000000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 0.2.file.exe.140000000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 00000000.00000000.2045918617.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: 00000000.00000002.2048334115.0000000140000000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: INDICATOR_EXE_Packed_Enigma snort2_sid = 930052-930054, author = ditekSHen, description = Detects executables packed with Enigma, snort3_sid = 930018 |
Source: classification engine | Classification label: mal64.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\file.exe | Mutant created: \Sessions\1\BaseNamedObjects\cdf89ae526ad4cbd86c91c09eed01dbb |
Source: C:\Users\user\Desktop\file.exe | File created: c:\Users\user\AppData\Local\Temp\setupF0B.tmp | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | File read: C:\Users\user\Desktop\file.exe | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: shfolder.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: wininet.dll | Jump to behavior |
Source: file.exe | Static file information: File size 5800616 > 1048576 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_000000014000D0C5 push rdi; ret | 0_2_000000014000D0C6 |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: AUTORUNSC.EXE |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: AUTORUNSC.EXEZ |
Source: file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: WIRESHARK.EXE[, |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: DUMPCAP.EXEZ |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: TCPDUMP.EXE |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: TCPDUMP.EXE{ |
Source: file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: XENSERVICE.EXEW, |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: XENSERVICE.EXE |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: DUMPCAP.EXE |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: WIRESHARK.EXE |
Source: C:\Users\user\Desktop\file.exe | API coverage: 0.5 % |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: vboxtray.exe |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: qemu-ga`Y |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: vboxtray.exe` |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: vmwareuser.exe |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: qemu-ga |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: vmwaretray.exe |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: vmwareuser.exeZ |
Source: file.exe, file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: QEMU HARDDISK |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: qemu-gaz |
Source: file.exe, 00000000.00000002.2048379014.0000000140021000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: Stop reversing the programReconsider your life choicesAnd go touch some grassbasic_string::append\\.\PhysicalDrive0DADY HARDDISKQEMU HARDDISKbasic_string: construction from null is not valid |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: vboxservice.exe@ |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: vboxservice.exe |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: vboxservice.exe{ |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: vmwaretray.exe{ |
Source: file.exe, 00000000.00000002.2048108838.00000000001A5000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: vboxtray.exe{ |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0000000140033E66 RtlAddVectoredExceptionHandler, | 0_2_0000000140033E66 |
Source: C:\Users\user\Desktop\file.exe | NtProtectVirtualMemory: Direct from: 0x14009F39D | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtProtectVirtualMemory: Direct from: 0x1400E8171 | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtOpenSection: Indirect: 0x1401CB085 | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtProtectVirtualMemory: Direct from: 0x140057AC0 | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtQueryAttributesFile: Indirect: 0x1401CB96F | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtTerminateProcess: Indirect: 0x1401CACCC | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtProtectVirtualMemory: Direct from: 0x14005CC8A | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtClose: Indirect: 0x1401CB606 | |
Source: C:\Users\user\Desktop\file.exe | NtProtectVirtualMemory: Direct from: 0x140069067 | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtProtectVirtualMemory: Direct from: 0x1400E385B | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtProtectVirtualMemory: Direct from: 0x1400DCB84 | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtOpenKey: Indirect: 0x1401CA475 | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtProtectVirtualMemory: Direct from: 0x1400E7F74 | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtUnmapViewOfSection: Indirect: 0x1401CB3DF | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | NtProtectVirtualMemory: Indirect: 0x1401CCBD7 | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_000000014001B3C0 cpuid | 0_2_000000014001B3C0 |
Source: file.exe, 00000000.00000002.2048165022.00000000007F8000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.2048179294.0000000000826000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: wireshark.exe |