Windows Analysis Report
bfINGx7hvL.exe

Overview

General Information

Sample name: bfINGx7hvL.exe
renamed because original name is a hash value
Original sample name: 80c2a36e9a14e3edba0b706d2433d9b8.exe
Analysis ID: 1520450
MD5: 80c2a36e9a14e3edba0b706d2433d9b8
SHA1: 03ac191b235b3a867539720070a5e6ca1108b4f2
SHA256: 154dae39845abef889af814bd6ad84283374c90ecece891addc362384afdd882
Tags: exeuser-abuse_ch
Infos:

Detection

LummaC
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: bfINGx7hvL.exe.5852.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["priooozekw.shop", "surroundeocw.shop", "deallyharvenw.shop", "candleduseiwo.shop", "abortinoiwiam.shop", "racedsuitreow.shop", "covvercilverow.shop", "defenddsouneuw.shop", "pumpkinkwquo.shop"], "Build id": "yJEcaG--rui1222"}
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: covvercilverow.shop
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: surroundeocw.shop
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: abortinoiwiam.shop
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: pumpkinkwquo.shop
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: priooozekw.shop
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: deallyharvenw.shop
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: defenddsouneuw.shop
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: racedsuitreow.shop
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: candleduseiwo.shop
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp String decryptor: yJEcaG--rui1222
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0052D130 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 0_2_0052D130
Uses 32bit PE files
Source: bfINGx7hvL.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdb source: bfINGx7hvL.exe
Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdbN source: bfINGx7hvL.exe
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00477BE0 FindFirstFileW, 0_2_00477BE0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00495D80 FindFirstFileW,FindClose, 0_2_00495D80
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bfINGx7hvL.exe_b2c5d0224beae675fda7c01c57cba19d402078_0da6e983_9c4e44b6-c5e5-47b8-8186-b9802dcb5e27\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bfINGx7hvL.exe_d6c1667ab283d126154324f80fd21f5eda59e7d_0da6e983_01f5966f-efa9-4ec3-a2c8-5407a75e0685\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_00F86013
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_00F8600C
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 0_2_00F811B2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-18h] 0_2_00F9D0CE
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-54h] 0_2_00F92132
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-18h] 0_2_00F9D134
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00FB12FC
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h 0_2_00FB12FC
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_00FB82BB
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00FBC2B2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_00FA429B
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_00FA429B
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_00FAC282
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh 0_2_00FB5272
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_00FA4215
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_00FA4215
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh 0_2_00FB63F2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00FBB3B2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_00F8539E
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_00F98312
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 0_2_00F874E1
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 0_2_00F7F4B2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, 0000000Bh 0_2_00FA54B5
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then movzx ebp, word ptr [edi] 0_2_00FB0432
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-54h] 0_2_00F92403
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esi+00000744h] 0_2_00FA45CB
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_00FA45CB
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_00FA45CB
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-54h] 0_2_00F925AE
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00F98582
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00F9F577
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 0_2_00F8F6C4
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 0_2_00F766B2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00F9A692
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh 0_2_00F9D652
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh 0_2_00F9D652
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00FBB612
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00FA076F
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00FA076F
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_00F77712
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov edi, ecx 0_2_00F858A8
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00FB9832
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh 0_2_00FB9832
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then push ebx 0_2_00F8F835
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 0_2_00F859AB
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp+28h] 0_2_00F859AB
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 0_2_00F8C952
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_00F82911
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp byte ptr [edi], 00000000h 0_2_00F87AF3
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then jmp eax 0_2_00F87BF4
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 0_2_00FBBBE2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h 0_2_00F90B95
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov word ptr [esi], ax 0_2_00F90B95
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov edi, eax 0_2_00F78B72
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then jmp ecx 0_2_00FB0B62
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_00FA4B4C
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_00FB2B02
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp+08h] 0_2_00F84DDD
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00FA1DB2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_00F99DA7
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-34h] 0_2_00F95D92
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 0_2_00FBBD62
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00FB8D52
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_00FB0EF0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, ebp 0_2_00F7BEE2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, ebp 0_2_00F7BEE2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00FA3ED2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah 0_2_00FBBED2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov edi, dword ptr [ebp-3Ch] 0_2_00F9FEC1
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_00FA4E2D
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00FB4E22
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_00FA4E18
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_00FA0E11
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_00FBBFE2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00FA3EB7
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 0_2_00FA3F33
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then movzx edx, byte ptr [ecx+eax] 0_2_0426F7B0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h 0_2_042AA1E0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_0429342B
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esp] 0_2_042A3420
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [ebp-14h] 0_2_0428F40F
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_04293419
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, ebp 0_2_0426A4E0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, ebp 0_2_0426A4E0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 0_2_0429F4EE
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 4x nop then mov edi, dword ptr [ebp-3Ch] 0_2_0428E4C2

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056078 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (racedsuitreow .shop) : 192.168.2.5:58062 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056076 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (defenddsouneuw .shop) : 192.168.2.5:57176 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056077 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (defenddsouneuw .shop in TLS SNI) : 192.168.2.5:49717 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056077 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (defenddsouneuw .shop in TLS SNI) : 192.168.2.5:49716 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49716 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49716 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49717 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49717 -> 188.114.97.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: priooozekw.shop
Source: Malware configuration extractor URLs: surroundeocw.shop
Source: Malware configuration extractor URLs: deallyharvenw.shop
Source: Malware configuration extractor URLs: candleduseiwo.shop
Source: Malware configuration extractor URLs: abortinoiwiam.shop
Source: Malware configuration extractor URLs: racedsuitreow.shop
Source: Malware configuration extractor URLs: covvercilverow.shop
Source: Malware configuration extractor URLs: defenddsouneuw.shop
Source: Malware configuration extractor URLs: pumpkinkwquo.shop
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: defenddsouneuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=inhlfBS3QXaL1Ty2MUmL0TtBj90y1fo7k8xWfPJyJFo-1727428706-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: defenddsouneuw.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: candleduseiwo.shop
Source: global traffic DNS traffic detected: DNS query: racedsuitreow.shop
Source: global traffic DNS traffic detected: DNS query: defenddsouneuw.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: defenddsouneuw.shop
Source: bfINGx7hvL.exe String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: bfINGx7hvL.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: bfINGx7hvL.exe String found in binary or memory: http://ocsp.thawte.com0
Source: bfINGx7hvL.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: bfINGx7hvL.exe String found in binary or memory: http://s.symcd.com06
Source: bfINGx7hvL.exe String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: bfINGx7hvL.exe String found in binary or memory: http://t2.symcb.com0
Source: bfINGx7hvL.exe String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: bfINGx7hvL.exe String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: bfINGx7hvL.exe String found in binary or memory: http://tl.symcd.com0&
Source: bfINGx7hvL.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: bfINGx7hvL.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: bfINGx7hvL.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: bfINGx7hvL.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: bfINGx7hvL.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: bfINGx7hvL.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: bfINGx7hvL.exe String found in binary or memory: http://www.privacy-drive.comx
Source: bfINGx7hvL.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: bfINGx7hvL.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: bfINGx7hvL.exe String found in binary or memory: https://d.symcb.com/rpa0.
Source: bfINGx7hvL.exe, 00000000.00000002.2430889211.0000000001591000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://defenddsouneuw.sho
Source: bfINGx7hvL.exe, 00000000.00000003.2162737451.0000000001559000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000002.2430889211.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://defenddsouneuw.shop/
Source: bfINGx7hvL.exe, 00000000.00000002.2430889211.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://defenddsouneuw.shop/D
Source: bfINGx7hvL.exe, 00000000.00000002.2430889211.0000000001591000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://defenddsouneuw.shop/Y
Source: bfINGx7hvL.exe, 00000000.00000003.2162942825.000000000157A000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000003.2163472442.0000000001591000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000002.2430889211.00000000015A4000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000002.2430889211.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000003.2163547485.0000000001593000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://defenddsouneuw.shop/api
Source: bfINGx7hvL.exe, 00000000.00000002.2430889211.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://defenddsouneuw.shop/pi/
Source: bfINGx7hvL.exe, 00000000.00000002.2430889211.00000000014F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://defenddsouneuw.shop:443/apid
Source: bfINGx7hvL.exe, 00000000.00000003.2162187941.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000003.2162187941.00000000015A5000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000003.2162474004.0000000001571000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000003.2163321984.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000002.2430889211.00000000015A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: bfINGx7hvL.exe, 00000000.00000003.2162187941.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000003.2162187941.00000000015A5000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000003.2163321984.00000000014EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: bfINGx7hvL.exe String found in binary or memory: https://www.cybertronsoft.com
Source: bfINGx7hvL.exe String found in binary or memory: https://www.thawte.com/cps0
Source: bfINGx7hvL.exe String found in binary or memory: https://www.thawte.com/cps0/
Source: bfINGx7hvL.exe String found in binary or memory: https://www.thawte.com/repository0W
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00424260 OpenClipboard,GetClipboardData,CloseClipboard, 0_2_00424260
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00424260 OpenClipboard,GetClipboardData,CloseClipboard, 0_2_00424260
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00422070 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 0_2_00422070

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00FCC583 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00FCC583
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0045D070: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, 0_2_0045D070
Contains functionality to delete services
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0041D0B0 PathFileExistsW,OpenSCManagerW,GetLastError,OpenServiceW,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle, 0_2_0041D0B0
Detected potential crypto function
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0050E640 0_2_0050E640
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0043D090 0_2_0043D090
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0050F158 0_2_0050F158
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0050715B 0_2_0050715B
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004E9350 0_2_004E9350
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004133B0 0_2_004133B0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0049B470 0_2_0049B470
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0050E674 0_2_0050E674
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0044B630 0_2_0044B630
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0051B680 0_2_0051B680
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0045F770 0_2_0045F770
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004237D0 0_2_004237D0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004C3850 0_2_004C3850
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004C28B0 0_2_004C28B0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0050F955 0_2_0050F955
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0050F974 0_2_0050F974
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0044AB40 0_2_0044AB40
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004AEBE0 0_2_004AEBE0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0040FD70 0_2_0040FD70
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00514E40 0_2_00514E40
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00441E60 0_2_00441E60
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00FCC583 0_2_00FCC583
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F7055F 0_2_00F7055F
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00FA80E2 0_2_00FA80E2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F831C2 0_2_00F831C2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00FBC2B2 0_2_00FBC2B2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F75292 0_2_00F75292
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F7A252 0_2_00F7A252
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00FA8372 0_2_00FA8372
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F7C402 0_2_00F7C402
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00FCD5C4 0_2_00FCD5C4
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F9D652 0_2_00F9D652
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00FA9792 0_2_00FA9792
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F798B2 0_2_00F798B2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F7E802 0_2_00F7E802
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F9B99B 0_2_00F9B99B
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F7CAE2 0_2_00F7CAE2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F7DA82 0_2_00F7DA82
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00FA9A42 0_2_00FA9A42
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F73A08 0_2_00F73A08
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F90B95 0_2_00F90B95
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F72CB5 0_2_00F72CB5
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00FAFCA2 0_2_00FAFCA2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00FB9DB2 0_2_00FB9DB2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F72D5B 0_2_00F72D5B
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F76EFD 0_2_00F76EFD
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F7BEE2 0_2_00F7BEE2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F76EB2 0_2_00F76EB2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F78EB2 0_2_00F78EB2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F72E8E 0_2_00F72E8E
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F72E1A 0_2_00F72E1A
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F72FB3 0_2_00F72FB3
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F7CF72 0_2_00F7CF72
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_04261418 0_2_04261418
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_042654B0 0_2_042654B0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_042674B0 0_2_042674B0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0426148C 0_2_0426148C
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0426A4E0 0_2_0426A4E0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_042654FB 0_2_042654FB
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 00424910 appears 45 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 00418CF0 appears 92 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 004FFB7D appears 31 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 00F80862 appears 145 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 00439540 appears 36 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 00F7E5E2 appears 90 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 0041F120 appears 65 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 00406E50 appears 178 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 004C24A0 appears 135 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 0045EC80 appears 107 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 0052CF10 appears 37 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 00407150 appears 69 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 0045EEC0 appears 42 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 004FFB4F appears 47 times
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: String function: 00418AC0 appears 74 times
One or more processes crash
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 624
PE / OLE file has an invalid certificate
Source: bfINGx7hvL.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: bfINGx7hvL.exe Binary or memory string: OriginalFilenamePrivacyDrive.exe< vs bfINGx7hvL.exe
Uses 32bit PE files
Source: bfINGx7hvL.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.2430586106.0000000000F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engine Classification label: mal88.troj.evad.winEXE@4/13@3/1
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004030E0 PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,GetLastError,FormatMessageW,LocalFree, 0_2_004030E0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004D3270 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError, 0_2_004D3270
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0043E991 GetVolumeInformationW,GetDiskFreeSpaceExW, 0_2_0043E991
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: OpenSCManagerW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,GetLastError, 0_2_0041D320
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: CreateServiceW,ChangeServiceConfig2W,SetLastError, 0_2_0041CE80
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F70C6F CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle, 0_2_00F70C6F
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0429F006 CoCreateInstance, 0_2_0429F006
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004D3220 FindResourceW,SizeofResource,LoadResource,LockResource, 0_2_004D3220
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0041D320 OpenSCManagerW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,CloseServiceHandle,OpenSCManagerW,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,OpenSCManagerW,CreateServiceW,ChangeServiceConfig2W,CloseServiceHandle,CloseServiceHandle,GetLastError, 0_2_0041D320
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5852
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4ea943c0-003d-4a8e-93ad-b14c17a7f91a Jump to behavior
Source: bfINGx7hvL.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe File read: C:\Users\user\Desktop\bfINGx7hvL.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\bfINGx7hvL.exe "C:\Users\user\Desktop\bfINGx7hvL.exe"
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 624
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 1760
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 200
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: bfINGx7hvL.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: bfINGx7hvL.exe Static file information: File size 2881672 > 1048576
Source: bfINGx7hvL.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x150400
Source: bfINGx7hvL.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x103800
Source: bfINGx7hvL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdb source: bfINGx7hvL.exe
Source: Binary string: F:\PD3\bin\Release\PrivacyDrive.pdbN source: bfINGx7hvL.exe
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0050E640 LoadLibraryW,GetProcAddress,VirtualAlloc, 0_2_0050E640
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0041E2B0 push ecx; mov dword ptr [esp], 42C00000h 0_2_0041E4B6
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0041E2B0 push ecx; mov dword ptr [esp], 42C00000h 0_2_0041E4F0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004CB540 push ecx; mov dword ptr [esp], 3F800000h 0_2_004CB572
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0041E570 push ecx; mov dword ptr [esp], 3F800000h 0_2_0041E6F3
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00448697 pushfd ; iretd 0_2_004486A2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0041E7B0 push ecx; mov dword ptr [esp], 3F800000h 0_2_0041E99C
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00426880 push ecx; mov dword ptr [esp], 3F800000h 0_2_004268B2
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004CB9E0 push ecx; mov dword ptr [esp], 3F800000h 0_2_004CBA12
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0041EA60 push ecx; mov dword ptr [esp], 3F800000h 0_2_0041EC2B
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00419A00 push ecx; mov dword ptr [esp], 3F800000h 0_2_00419A34
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004ECB30 push ecx; mov dword ptr [esp], 00000000h 0_2_004ECB42
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00486BD0 push ecx; mov dword ptr [esp], 3F800000h 0_2_00486C06
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00486BD0 push ecx; mov dword ptr [esp], 3F800000h 0_2_00486C2D
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00502C4E push ecx; ret 0_2_00502C61
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00506C25 push ecx; ret 0_2_00506C38
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0041BFA0 push ecx; mov dword ptr [esp], 3F800000h 0_2_0041BFEB
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00FB2307 push ecx; retf 0_2_00FB2308

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_0045D070
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: RegCloseKey,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_0045CD20

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: RegCloseKey,DeviceIoControl,swprintf,CreateFileW,DeviceIoControl,_memset,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_0045D070
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: RegCloseKey,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d 0_2_0045CD20
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0041CDA0 QueryServiceStatus,CloseServiceHandle,Sleep,QueryServiceStatus,StartServiceW,GetLastError,Sleep, 0_2_0041CDA0
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004CDA40 SendMessageW,GetWindowRect,IsIconic,GetWindowRect,PostMessageW,IsZoomed, 0_2_004CDA40
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00489C60 IsWindowVisible,IsIconic,PostMessageW,IsIconic, 0_2_00489C60
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00489C60 IsWindowVisible,IsIconic,PostMessageW,IsIconic, 0_2_00489C60
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00489D10 IsWindowVisible,IsIconic,SendMessageW,IsIconic,SendMessageW,ShowWindow,IsWindow,IsWindow,IsWindow,IsWindow,PostMessageW, 0_2_00489D10
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00489D10 IsWindowVisible,IsIconic,SendMessageW,IsIconic,SendMessageW,ShowWindow,IsWindow,IsWindow,IsWindow,IsWindow,PostMessageW, 0_2_00489D10
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00417E90 IsWindow,GetWindowRect,IsWindow,IsWindowVisible,IsIconic,GetWindowRect,SetWindowPos, 0_2_00417E90
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\bfINGx7hvL.exe API coverage: 1.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\bfINGx7hvL.exe TID: 6776 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\bfINGx7hvL.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00477BE0 FindFirstFileW, 0_2_00477BE0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00495D80 FindFirstFileW,FindClose, 0_2_00495D80
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bfINGx7hvL.exe_b2c5d0224beae675fda7c01c57cba19d402078_0da6e983_9c4e44b6-c5e5-47b8-8186-b9802dcb5e27\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bfINGx7hvL.exe_d6c1667ab283d126154324f80fd21f5eda59e7d_0da6e983_01f5966f-efa9-4ec3-a2c8-5407a75e0685\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: bfINGx7hvL.exe, 00000000.00000003.2162737451.0000000001559000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000002.2430889211.0000000001559000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: bfINGx7hvL.exe, 00000000.00000003.2162187941.00000000015A5000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000002.2430889211.00000000015A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW!~
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: bfINGx7hvL.exe, 00000000.00000003.2162187941.00000000015A5000.00000004.00000020.00020000.00000000.sdmp, bfINGx7hvL.exe, 00000000.00000002.2430889211.00000000015A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\bfINGx7hvL.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_042A6730 LdrInitializeThunk, 0_2_042A6730
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0050E173 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0050E173
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0050E173 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0050E173
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0050E640 LoadLibraryW,GetProcAddress,VirtualAlloc, 0_2_0050E640
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F7055F mov edx, dword ptr fs:[00000030h] 0_2_00F7055F
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F70B1F mov eax, dword ptr fs:[00000030h] 0_2_00F70B1F
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F7116F mov eax, dword ptr fs:[00000030h] 0_2_00F7116F
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F7116E mov eax, dword ptr fs:[00000030h] 0_2_00F7116E
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00F70ECF mov eax, dword ptr fs:[00000030h] 0_2_00F70ECF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_005068B4 GetModuleFileNameW,___crtMessageBoxW,GetStdHandle,_strlen,WriteFile,__invoke_watson,GetProcessHeap, 0_2_005068B4
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0050709C SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0050709C

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: bfINGx7hvL.exe String found in binary or memory: surroundeocw.shop
Source: bfINGx7hvL.exe String found in binary or memory: covvercilverow.shop
Source: bfINGx7hvL.exe String found in binary or memory: pumpkinkwquo.shop
Source: bfINGx7hvL.exe String found in binary or memory: abortinoiwiam.shop
Source: bfINGx7hvL.exe String found in binary or memory: deallyharvenw.shop
Source: bfINGx7hvL.exe String found in binary or memory: priooozekw.shop
Source: bfINGx7hvL.exe String found in binary or memory: racedsuitreow.shop
Source: bfINGx7hvL.exe String found in binary or memory: defenddsouneuw.shop
Source: bfINGx7hvL.exe String found in binary or memory: candleduseiwo.shop
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00477990 SetWindowPos,GetWindowRect,GetCursorPos,ShowCursor,ShowCursor,SetCursorPos,mouse_event,mouse_event,mouse_event,SetCursorPos,ShowCursor,SetWindowPos,SetForegroundWindow,SetFocus, 0_2_00477990
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW, 0_2_00485BE0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetDateFormatW,GetTimeFormatW, 0_2_00485D60
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00414200 GetLocalTime, 0_2_00414200
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_00476750 LookupAccountNameW,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority, 0_2_00476750
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_004A83C0 _memset,_memset,GetVersionExW, 0_2_004A83C0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0040D05C RpcBindingFree,LeaveCriticalSection, 0_2_0040D05C
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0040D0B0 WaitForSingleObject,WaitForSingleObject,EnterCriticalSection,RpcBindingFree,LeaveCriticalSection,SetEvent,CloseHandle, 0_2_0040D0B0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0040CDF0 EnterCriticalSection,RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,RpcEpResolveBinding,RpcStringFreeW,RpcBindingFree,RpcStringFreeW,LeaveCriticalSection, 0_2_0040CDF0
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0040CEEC RpcBindingFree,RpcStringFreeW,LeaveCriticalSection, 0_2_0040CEEC
Source: C:\Users\user\Desktop\bfINGx7hvL.exe Code function: 0_2_0040CF40 EnterCriticalSection,RpcBindingFree,LeaveCriticalSection,SetEvent, 0_2_0040CF40
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520450 Sample: bfINGx7hvL.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 88 24 racedsuitreow.shop 2->24 26 defenddsouneuw.shop 2->26 28 candleduseiwo.shop 2->28 32 Suricata IDS alerts for network traffic 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 4 other signatures 2->38 7 bfINGx7hvL.exe 2->7         started        signatures3 process4 dnsIp5 30 defenddsouneuw.shop 188.114.97.3, 443, 49716, 49717 CLOUDFLARENETUS European Union 7->30 40 Contains functionality to infect the boot sector 7->40 11 WerFault.exe 19 16 7->11         started        14 WerFault.exe 4 16 7->14         started        16 WerFault.exe 2 16 7->16         started        signatures6 process7 file8 18 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->18 dropped 20 C:\ProgramData\Microsoft\...\Report.wer, Unicode 14->20 dropped 22 C:\ProgramData\Microsoft\...\Report.wer, Unicode 16->22 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 defenddsouneuw.shop European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
defenddsouneuw.shop 188.114.97.3 true
racedsuitreow.shop unknown unknown
candleduseiwo.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://defenddsouneuw.shop/api true
    		unknown
    covvercilverow.shop true
      		unknown
      pumpkinkwquo.shop true
        		unknown
        abortinoiwiam.shop true
          		unknown
          deallyharvenw.shop true
            		unknown
            defenddsouneuw.shop true
              		unknown
              priooozekw.shop true
                		unknown
                surroundeocw.shop true
                  		unknown
                  racedsuitreow.shop true
                    		unknown
                    candleduseiwo.shop true
                      		unknown