Windows Analysis Report
new order urgent.exe

Overview

General Information

Sample name: new order urgent.exe
Analysis ID: 1501081
MD5: 6b26d5f3b26b1801ba6c75c33935342e
SHA1: 5493875fb342da6ec62f4d8a6dc77ddb498dc38e
SHA256: c193c281262bca8bbb3e2f0e76aead32a130d98455a8767471c071a02c9be849
Tags: exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: new order urgent.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Ykrrqa.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Ykrrqa.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Roaming\Ykrrqa.exe Virustotal: Detection: 56% Perma Link
Multi AV Scanner detection for submitted file
Source: new order urgent.exe ReversingLabs: Detection: 55%
Source: new order urgent.exe Virustotal: Detection: 56% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Ykrrqa.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: new order urgent.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: new order urgent.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: new order urgent.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbc source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbO source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: new order urgent.exe, 00000000.00000002.1377079246.00000000062F0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1350409959.0000000003035000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb9wP source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: new order urgent.exe, 00000000.00000002.1377079246.00000000062F0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1350409959.0000000003035000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: new order urgent.exe, 00000000.00000002.1374226398.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1357427992.0000000003B55000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: new order urgent.exe, 00000000.00000002.1374226398.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1357427992.0000000003B55000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbR source: InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbN source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2589557624.0000000005AA3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbE source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbF source: InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbH source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbC source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbzRwz source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdbDuFtM source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb` source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 4x nop then jmp 05D8A4CEh 0_2_05D8A4B7
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 4x nop then jmp 05D89A10h 0_2_05D89990
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 4x nop then jmp 05D89A10h 0_2_05D89980
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 4x nop then jmp 05D8A4CEh 0_2_05D8A654
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000003035000.00000004.00000800.00020000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: new order urgent.exe, 00000000.00000002.1374226398.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1357427992.0000000003B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: new order urgent.exe, 00000000.00000002.1374226398.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1357427992.0000000003B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: new order urgent.exe, 00000000.00000002.1374226398.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1357427992.0000000003B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: new order urgent.exe, 00000000.00000002.1374226398.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1357427992.0000000003B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: new order urgent.exe, 00000000.00000002.1374226398.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1357427992.0000000003B55000.00000004.00000800.00020000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: new order urgent.exe, 00000000.00000002.1374226398.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1357427992.0000000003B55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: new order urgent.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D64C48 NtResumeThread, 0_2_05D64C48
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D637A0 NtProtectVirtualMemory, 0_2_05D637A0
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D64C40 NtResumeThread, 0_2_05D64C40
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D63798 NtProtectVirtualMemory, 0_2_05D63798
Detected potential crypto function
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_0108E6D0 0_2_0108E6D0
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_0108A4B9 0_2_0108A4B9
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_0108A4C8 0_2_0108A4C8
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_01084BD0 0_2_01084BD0
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_01084BE0 0_2_01084BE0
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_0108AF49 0_2_0108AF49
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05C50048 0_2_05C50048
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05C50000 0_2_05C50000
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05CDBC4C 0_2_05CDBC4C
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05CD142C 0_2_05CD142C
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05CD0040 0_2_05CD0040
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05CDA750 0_2_05CDA750
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05CDA760 0_2_05CDA760
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05CDBEEA 0_2_05CDBEEA
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05CD4111 0_2_05CD4111
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05CD4120 0_2_05CD4120
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05CD0037 0_2_05CD0037
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05CD5380 0_2_05CD5380
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05CD5390 0_2_05CD5390
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D6DFC0 0_2_05D6DFC0
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D6BFA8 0_2_05D6BFA8
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D6C878 0_2_05D6C878
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D60A98 0_2_05D60A98
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D6BC60 0_2_05D6BC60
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D628D0 0_2_05D628D0
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D628C0 0_2_05D628C0
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D60040 0_2_05D60040
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D60007 0_2_05D60007
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D60A88 0_2_05D60A88
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D8E9C0 0_2_05D8E9C0
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D8B738 0_2_05D8B738
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D8BB3D 0_2_05D8BB3D
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D8E9B1 0_2_05D8E9B1
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D8F150 0_2_05D8F150
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D8F140 0_2_05D8F140
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D8C541 0_2_05D8C541
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D8C0B8 0_2_05D8C0B8
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D86478 0_2_05D86478
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D8BB13 0_2_05D8BB13
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05DB0040 0_2_05DB0040
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05DB0007 0_2_05DB0007
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05DE8590 0_2_05DE8590
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05DEC430 0_2_05DEC430
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05DE90D0 0_2_05DE90D0
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05DEC757 0_2_05DEC757
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05DE90CB 0_2_05DE90CB
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05DE0040 0_2_05DE0040
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05DE0007 0_2_05DE0007
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_0613CEF8 0_2_0613CEF8
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_06120006 0_2_06120006
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_06120040 0_2_06120040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01407A90 2_2_01407A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01403530 2_2_01403530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01406109 2_2_01406109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014049F8 2_2_014049F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01404A08 2_2_01404A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01405462 2_2_01405462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01405476 2_2_01405476
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0140541C 2_2_0140541C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01405431 2_2_01405431
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014054C3 2_2_014054C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014054DC 2_2_014054DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014054F2 2_2_014054F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014054AB 2_2_014054AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_05805FC8 2_2_05805FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_05805FD8 2_2_05805FD8
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 1156
Sample file is different than original file name gathered from version info
Source: new order urgent.exe, 00000000.00000002.1374226398.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs new order urgent.exe
Source: new order urgent.exe, 00000000.00000002.1377079246.00000000062F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new order urgent.exe
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002C41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDphmjph.exe" vs new order urgent.exe
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000003035000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs new order urgent.exe
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDphmjph.exe" vs new order urgent.exe
Source: new order urgent.exe, 00000000.00000002.1357427992.0000000003B55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs new order urgent.exe
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs new order urgent.exe
Source: new order urgent.exe, 00000000.00000002.1349327069.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs new order urgent.exe
Uses 32bit PE files
Source: new order urgent.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.evad.winEXE@4/2@0/0
Source: C:\Users\user\Desktop\new order urgent.exe File created: C:\Users\user\AppData\Roaming\Ykrrqa.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ec58317f-0bc2-4f00-9099-5540e41958d1 Jump to behavior
Source: new order urgent.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: new order urgent.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\new order urgent.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: new order urgent.exe ReversingLabs: Detection: 55%
Source: new order urgent.exe Virustotal: Detection: 56%
Source: C:\Users\user\Desktop\new order urgent.exe File read: C:\Users\user\Desktop\new order urgent.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\new order urgent.exe "C:\Users\user\Desktop\new order urgent.exe"
Source: C:\Users\user\Desktop\new order urgent.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 1156
Source: C:\Users\user\Desktop\new order urgent.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: new order urgent.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: new order urgent.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: new order urgent.exe Static file information: File size 2571264 > 1048576
Source: new order urgent.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x273200
Source: new order urgent.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbc source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbO source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: new order urgent.exe, 00000000.00000002.1377079246.00000000062F0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1350409959.0000000003035000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb9wP source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: new order urgent.exe, 00000000.00000002.1377079246.00000000062F0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1350409959.0000000003035000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: new order urgent.exe, 00000000.00000002.1374226398.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1357427992.0000000003B55000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: new order urgent.exe, 00000000.00000002.1374226398.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1357427992.0000000003B55000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbR source: InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbN source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2589557624.0000000005AA3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbE source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbF source: InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbH source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbC source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbzRwz source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2583088388.00000000011E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdbDuFtM source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb` source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2582958814.0000000000D99000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2583088388.000000000122A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.new order urgent.exe.5ce0000.4.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.new order urgent.exe.5ce0000.4.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.new order urgent.exe.5ce0000.4.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.new order urgent.exe.5ce0000.4.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.new order urgent.exe.5ce0000.4.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.new order urgent.exe.5df0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1375625712.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: new order urgent.exe PID: 7320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7712, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05D852E0 pushfd ; iretd 0_2_05D852E1
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05DB322F pushfd ; iretd 0_2_05DB3230
Source: C:\Users\user\Desktop\new order urgent.exe Code function: 0_2_05DE3DED push esp; ret 0_2_05DE3DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01403DC1 push edx; ret 2_2_01403DCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01402469 push edi; iretd 2_2_0140246F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_01406760 pushfd ; ret 2_2_01406761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_014047A4 push ecx; ret 2_2_014047A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_05801E4D push edx; iretd 2_2_05801E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_0580314C push ds; iretd 2_2_05803152
Drops PE files
Source: C:\Users\user\Desktop\new order urgent.exe File created: C:\Users\user\AppData\Roaming\Ykrrqa.exe Jump to dropped file
Source: C:\Users\user\Desktop\new order urgent.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ykrrqa Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ykrrqa Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: new order urgent.exe PID: 7320, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002F06000.00000004.00000800.00020000.00000000.sdmp, new order urgent.exe, 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002F06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL0\
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EXPLORERESBIEDLL.DLLFCUCKOOMON.DLLGWIN32_PROCESS.HANDLE='{0}'HPARENTPROCESSIDICMDJSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREKVERSIONLSERIALNUMBERNVMWARE|VIRTUAL|A M I|XENOSELECT * FROM WIN32_COMPUTERSYSTEMPMANUFACTURERQMODELRMICROSOFT|VMWARE|VIRTUALSJOHNTANNAUXXXXXXXX
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002F06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLLP
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\new order urgent.exe Memory allocated: 1080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Memory allocated: 2B30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Memory allocated: 4B30000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1400000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3010000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2D80000 memory reserve | memory write watch Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\new order urgent.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\new order urgent.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002F06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q 1:en-CH:VMware|VIRTUAL|A M I|Xen T
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002F06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q 1:en-CH:Microsoft|VMWare|Virtual T
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002F06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwaredV
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q 1:en-CH:Microsoft|VMWare|Virtual
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002F06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware<R
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002F06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWare<R
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002F06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q0VMware|VIRTUAL|A M<
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002F06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q0Microsoft|VMWare|V<
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002B31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorerESbieDll.dllFcuckoomon.dllGwin32_process.handle='{0}'HParentProcessIdIcmdJselect * from Win32_BIOS8Unexpected WMI query failureKversionLSerialNumberNVMware|VIRTUAL|A M I|XenOselect * from Win32_ComputerSystemPmanufacturerQmodelRMicrosoft|VMWare|VirtualSjohnTannaUxxxxxxxx
Source: new order urgent.exe, 00000000.00000002.1350409959.0000000002F06000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen0\
Source: C:\Users\user\Desktop\new order urgent.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\new order urgent.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\new order urgent.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\new order urgent.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 4F8000 Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 4FA000 Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: F4C008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\new order urgent.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\new order urgent.exe Queries volume information: C:\Users\user\Desktop\new order urgent.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\new order urgent.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501081 Sample: new order urgent.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 19 Antivirus detection for dropped file 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for dropped file 2->23 25 8 other signatures 2->25 7 new order urgent.exe 1 4 2->7         started        process3 file4 15 C:\Users\user\AppData\Roaming\Ykrrqa.exe, PE32 7->15 dropped 17 C:\Users\user\...\Ykrrqa.exe:Zone.Identifier, ASCII 7->17 dropped 27 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->27 29 Writes to foreign memory regions 7->29 31 Injects a PE file into a foreign processes 7->31 11 InstallUtil.exe 2 7->11         started        signatures5 process6 process7 13 WerFault.exe 4 11->13         started       
No contacted IP infos