Source: C:\Program Files (x86)\4293750.dll |
Avira: detection malicious, Label: BDS/Backdoor.Gen7 |
Source: 9JQ3JboYdz.exe |
ReversingLabs: Detection: 94% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: C:\Program Files (x86)\4293750.dll |
Joe Sandbox ML: detected |
Source: 9JQ3JboYdz.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: |
Binary string: rundll32.pdb source: svchost.exe, 00000003.00000003.2140658085.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, SySe.exe, SySe.exe, 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, SySe.exe.3.dr |
Source: |
Binary string: rundll32.pdbGCTL source: svchost.exe, 00000003.00000003.2140658085.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, SySe.exe, 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, SySe.exe.3.dr |
Source: Network traffic |
Suricata IDS: 2814897 - Severity 1 - ETPRO MALWARE W32.YoungLotus Checkin : 192.168.2.6:49711 -> 124.221.255.145:8506 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1 |
Source: global traffic |
TCP traffic: 192.168.2.6:49711 -> 124.221.255.145:8506 |
Source: Joe Sandbox View |
ASN Name: JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR JCN-AS-KRUlsanJung-AngBroadcastingNetworkKR |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_1000152B select,memset,recv, |
3_2_1000152B |
Source: global traffic |
DNS traffic detected: DNS query: www.sf2110.com |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: strlen,memset,lstrlenA,strstr,lstrcpyA,CreateProcessA, Applications\iexplore.exe\shell\open\command |
3_2_10002BC3 |
Source: 9JQ3JboYdz.exe, type: SAMPLE |
Matched rule: Detects Running RAT from Gold Dragon report Author: Florian Roth |
Source: 9JQ3JboYdz.exe, type: SAMPLE |
Matched rule: Detects RunningRAT Author: ditekSHen |
Source: 3.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RunningRAT Author: ditekSHen |
Source: 0.2.9JQ3JboYdz.exe.4032a0.1.unpack, type: UNPACKEDPE |
Matched rule: Detects RunningRAT Author: ditekSHen |
Source: 7.2.SySe.exe.10000000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects RunningRAT Author: ditekSHen |
Source: 0.2.9JQ3JboYdz.exe.4032a0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects RunningRAT Author: ditekSHen |
Source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Running RAT from Gold Dragon report Author: Florian Roth |
Source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RunningRAT Author: ditekSHen |
Source: 0.2.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects RunningRAT Author: ditekSHen |
Source: C:\Program Files (x86)\4293750.dll, type: DROPPED |
Matched rule: Detects RunningRAT Author: ditekSHen |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B640B1 NtQuerySystemInformation, |
7_2_00B640B1 |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B65CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError, |
7_2_00B65CF1 |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B64136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,DestroyWindow,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess, |
7_2_00B64136 |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B65911 PathIsRelativeW,RtlSetSearchPathMode,SearchPathW,GetFileAttributesW,CreateActCtxW,CreateActCtxWWorker,CreateActCtxWWorker,CreateActCtxWWorker,GetModuleHandleW,CreateActCtxWWorker,ActivateActCtx,SetWindowLongW,GetWindowLongW,GetWindow,memset,GetClassNameW,CompareStringW,GetWindow,GetWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, |
7_2_00B65911 |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B65D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose, |
7_2_00B65D6A |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_10001F48 strlen,OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle, |
3_2_10001F48 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_10001FBD LoadLibraryA,GetProcAddress,memset,memset,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,WTSGetActiveConsoleSessionId,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,FreeLibrary, |
3_2_10001FBD |
Source: 9JQ3JboYdz.exe, 00000000.00000000.2138518349.000000000040B000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilename vs 9JQ3JboYdz.exe |
Source: 9JQ3JboYdz.exe, 00000000.00000002.2165981379.00000000006BD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameCmd.Exej% vs 9JQ3JboYdz.exe |
Source: 9JQ3JboYdz.exe |
Binary or memory string: OriginalFilename vs 9JQ3JboYdz.exe |
Source: 9JQ3JboYdz.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: 9JQ3JboYdz.exe, type: SAMPLE |
Matched rule: GoldDragon_RunningRAT date = 2018-02-03, hash3 = 7aa99ebc49a130f07304ed25655862a04cc20cb59d129e1416a7dfa04f7d3e51, hash2 = 2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863, hash1 = 0852f2c5741997d8899a34bb95c349d7a9fb7277cd0910656c3ce37a6f11cb88, author = Florian Roth, description = Detects Running RAT from Gold Dragon report, reference = https://goo.gl/rW1yvZ, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 9JQ3JboYdz.exe, type: SAMPLE |
Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT |
Source: 3.2.svchost.exe.10000000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT |
Source: 0.2.9JQ3JboYdz.exe.4032a0.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT |
Source: 7.2.SySe.exe.10000000.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT |
Source: 0.2.9JQ3JboYdz.exe.4032a0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT |
Source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: GoldDragon_RunningRAT date = 2018-02-03, hash3 = 7aa99ebc49a130f07304ed25655862a04cc20cb59d129e1416a7dfa04f7d3e51, hash2 = 2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863, hash1 = 0852f2c5741997d8899a34bb95c349d7a9fb7277cd0910656c3ce37a6f11cb88, author = Florian Roth, description = Detects Running RAT from Gold Dragon report, reference = https://goo.gl/rW1yvZ, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT |
Source: 0.2.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT |
Source: C:\Program Files (x86)\4293750.dll, type: DROPPED |
Matched rule: MALWARE_Win_RunningRAT author = ditekSHen, description = Detects RunningRAT, clamav_sig = MALWARE.Win.Trojan.RunningRAT |
Source: classification engine |
Classification label: mal100.bank.troj.evad.winEXE@10/2@1/2 |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B63C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy, |
7_2_00B63C66 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: OpenSCManagerA,_local_unwind2,CreateServiceA,GetLastError,OpenServiceA,StartServiceA,ChangeServiceConfig2A,ChangeServiceConfig2A,wsprintfA,strlen,StartServiceA, |
3_2_10001B5B |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Code function: 0_2_00401794 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,Process32First,Process32Next,lstrcmpiA,CloseHandle,FreeLibrary, |
0_2_00401794 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_10001A43 OpenSCManagerA,OpenServiceA,StartServiceA,GetLastError,CloseServiceHandle,QueryServiceStatus,Sleep,CloseServiceHandle,CloseServiceHandle, |
3_2_10001A43 |
Source: C:\Windows\SysWOW64\SySe.exe |
Mutant created: \Sessions\1\BaseNamedObjects\www.sf2110.com:8506:SySe |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03 |
Source: C:\Windows\SysWOW64\SySe.exe |
Command line argument: WLDP.DLL |
7_2_00B64136 |
Source: C:\Windows\SysWOW64\SySe.exe |
Command line argument: localserver |
7_2_00B64136 |
Source: 9JQ3JboYdz.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: 9JQ3JboYdz.exe |
ReversingLabs: Detection: 94% |
Source: unknown |
Process created: C:\Users\user\Desktop\9JQ3JboYdz.exe "C:\Users\user\Desktop\9JQ3JboYdz.exe" |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k "SySe" |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k "SySe" |
|
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1 |
|
Source: C:\Windows\SysWOW64\svchost.exe |
Process created: C:\Windows\SysWOW64\SySe.exe C:\Windows\system32\SySe.exe "c:\program files (x86)\4293750.dll",MainThread |
|
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe" |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process created: C:\Windows\SysWOW64\SySe.exe C:\Windows\system32\SySe.exe "c:\program files (x86)\4293750.dll",MainThread |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1 |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: mfc42.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: devenum.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: msdmo.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: avicap32.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: msvfw32.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32 |
Jump to behavior |
Source: |
Binary string: rundll32.pdb source: svchost.exe, 00000003.00000003.2140658085.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, SySe.exe, SySe.exe, 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, SySe.exe.3.dr |
Source: |
Binary string: rundll32.pdbGCTL source: svchost.exe, 00000003.00000003.2140658085.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, SySe.exe, 00000007.00000002.4610504848.0000000000B61000.00000020.00000001.01000000.00000007.sdmp, SySe.exe.3.dr |
Source: SySe.exe.3.dr |
Static PE information: 0x6A8F1B39 [Wed Aug 26 16:58:33 2026 UTC] |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Code function: 0_2_00401B6B LoadLibraryA,GetProcAddress,__p__pgmptr,sprintf,GetCurrentProcess,SetPriorityClass,GetCurrentThread,SetThreadPriority,ShellExecuteA, |
0_2_00401B6B |
Source: SySe.exe.3.dr |
Static PE information: section name: .didat |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_10004C68 push eax; ret |
3_2_10004C86 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_10004CA0 push eax; ret |
3_2_10004CCE |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B66883 push ecx; ret |
7_2_00B66896 |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B6682D push ecx; ret |
7_2_00B66840 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_10001A43 OpenSCManagerA,OpenServiceA,StartServiceA,GetLastError,CloseServiceHandle,QueryServiceStatus,Sleep,CloseServiceHandle,CloseServiceHandle, |
3_2_10001A43 |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process created: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe" |
|
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process created: "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe" |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_1000265E OpenEventLogA,ClearEventLogA,CloseEventLog, |
3_2_1000265E |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_10003E6B LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA, |
3_2_10003E6B |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Evasive API call chain: CreateMutex,DecisionNodes,Sleep |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Window / User API: threadDelayed 2720 |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Window / User API: threadDelayed 7277 |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe |
Window / User API: threadDelayed 1386 |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) |
Source: C:\Windows\SysWOW64\svchost.exe TID: 3924 |
Thread sleep count: 2720 > 30 |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe TID: 3924 |
Thread sleep time: -2720000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe TID: 3924 |
Thread sleep count: 7277 > 30 |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe TID: 3924 |
Thread sleep time: -7277000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe TID: 5004 |
Thread sleep count: 1386 > 30 |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe TID: 5004 |
Thread sleep time: -693000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe TID: 5004 |
Thread sleep count: 105 > 30 |
Jump to behavior |
Source: C:\Windows\SysWOW64\SySe.exe TID: 5004 |
Thread sleep time: -52500s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\svchost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\SySe.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\SySe.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_1000358C GetSystemInfo,wsprintfA, |
3_2_1000358C |
Source: 9JQ3JboYdz.exe, 00000000.00000002.2165981379.00000000006BD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\YVRO |
Source: SySe.exe, 00000007.00000002.4610196471.0000000000787000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Windows\SysWOW64\SySe.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B625B2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, |
7_2_00B625B2 |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Code function: 0_2_00401B6B LoadLibraryA,GetProcAddress,__p__pgmptr,sprintf,GetCurrentProcess,SetPriorityClass,GetCurrentThread,SetThreadPriority,ShellExecuteA, |
0_2_00401B6B |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B63F6B mov esi, dword ptr fs:[00000030h] |
7_2_00B63F6B |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_10003D5D FreeLibrary,free,VirtualFree,GetProcessHeap,HeapFree, |
3_2_10003D5D |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B661C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
7_2_00B661C0 |
Source: C:\Windows\SysWOW64\SySe.exe |
Code function: 7_2_00B66510 SetUnhandledExceptionFilter, |
7_2_00B66510 |
Source: C:\Users\user\Desktop\9JQ3JboYdz.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\user\Desktop\9JQ3JboYdz.exe" |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_1000304F wsprintfA,strlen,strlen,strlen,GetLocalTime,wsprintfA,strlen, |
3_2_1000304F |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 3_2_1000336E ServiceMain,strncpy,wcstombs,RegisterServiceCtrlHandlerA,FreeConsole,GetVersionExA,MainThread,GetCurrentDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetSystemDirectoryA,lstrcatA,CopyFileA,GetFileAttributesA,GetLastError,wsprintfA,GetModuleFileNameA,wsprintfA,Sleep,GetExitCodeProcess,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep, |
3_2_1000336E |
Source: 9JQ3JboYdz.exe |
Binary or memory string: 360tray.exe |
Source: Yara match |
File source: 9JQ3JboYdz.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.2138500502.0000000000403000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 9JQ3JboYdz.exe PID: 4364, type: MEMORYSTR |
Source: Yara match |
File source: 9JQ3JboYdz.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.9JQ3JboYdz.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.2138500502.0000000000403000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 9JQ3JboYdz.exe PID: 4364, type: MEMORYSTR |