Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1520644
MD5: 0013399a6a9ab2e3fb25451ed658daa1
SHA1: 77731500657e6658c6d1b4d09de3fae4f756efef
SHA256: 0646980e8e68974948861e60bd4497d17464da101ec697241ba8ea96d86d22c6
Tags: exex64user-jstrosch
Infos:

Detection

CredGrabber, Meduza Stealer
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3D1CF0 CryptUnprotectData,LocalFree, 0_2_00007FF67A3D1CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A397C80 CryptUnprotectData,LocalFree,_invalid_parameter_noinfo_noreturn, 0_2_00007FF67A397C80
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A41C088 FindClose,FindFirstFileExW,GetLastError, 0_2_00007FF67A41C088
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A41C138 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 0_2_00007FF67A41C138
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3EAB00 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF67A3EAB00
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.4:49730 -> 176.124.204.206:15666
Source: Network traffic Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.4:49730 -> 176.124.204.206:15666
Source: Network traffic Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.4:49730 -> 176.124.204.206:15666
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 176.124.204.206:15666
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GULFSTREAMUA GULFSTREAMUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E8A50 InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task, 0_2_00007FF67A3E8A50
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: file.exe, 00000000.00000003.1959673962.000002653F684000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1807857552.000002653F671000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1959468011.000002653F680000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1959429528.000002653F680000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.microsoft.t/Regi
Source: file.exe, 00000000.00000002.1960242626.000002653CD8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: file.exe, 00000000.00000002.1960242626.000002653CD8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: file.exe, 00000000.00000002.1960242626.000002653CD8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/i
Source: file.exe, 00000000.00000002.1960242626.000002653CD8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org3S4
Source: file.exe, 00000000.00000002.1960242626.000002653CD8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.orgCSD
Source: file.exe, 00000000.00000003.1822746717.000002653FA17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000003.1822746717.000002653FA17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: file.exe, 00000000.00000003.1811211841.000002653F9B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1822746717.000002653FA17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000003.1822746717.000002653FA17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1822746717.000002653FA17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, 00000000.00000003.1819856920.0000026540151000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1816063856.000002653FA5B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817503166.000002653ECC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817503166.000002653ECC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1816063856.000002653FAC6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817293847.000002653FACE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1816063856.000002653FA53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: file.exe, 00000000.00000003.1816063856.000002653FA63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1816063856.000002653FA63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.1812096057.000002653F95B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812116653.000002653FA03000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1811041441.000002653FA03000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1811602481.000002653FA03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000003.1811041441.000002653F9DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1811211841.000002653F978000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1811407388.000002653CE0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1812096057.000002653F95B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1812116653.000002653FA03000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1811041441.000002653FA03000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1811602481.000002653FA03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000003.1811041441.000002653F9DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1811211841.000002653F978000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1811407388.000002653CE0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: file.exe, 00000000.00000003.1822746717.000002653FA17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: file.exe, 00000000.00000003.1822746717.000002653FA17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: file.exe, 00000000.00000003.1819856920.0000026540151000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1816063856.000002653FA5B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817503166.000002653ECC8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817503166.000002653ECC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1816063856.000002653FAC6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817293847.000002653FACE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1816063856.000002653FA53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000003.1816063856.000002653FA63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000003.1816063856.000002653FA63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000003.1816063856.000002653FAD6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817815572.000002653FB98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817503166.000002653ECCF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1816063856.000002653FA63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.1816063856.000002653FA63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1816063856.000002653FAD6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817815572.000002653FB98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1817503166.000002653ECCF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1816063856.000002653FA63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E9310 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,GetObjectW,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,DeleteObject,EnterCriticalSection,EnterCriticalSection,GdiplusShutdown,LeaveCriticalSection,LeaveCriticalSection,_invalid_parameter_noinfo_noreturn, 0_2_00007FF67A3E9310
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3EDD50 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 0_2_00007FF67A3EDD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3ED610 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF67A3ED610
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A390BD0 0_2_00007FF67A390BD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A39EC50 0_2_00007FF67A39EC50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A409D08 0_2_00007FF67A409D08
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A39C9C0 0_2_00007FF67A39C9C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3C1A80 0_2_00007FF67A3C1A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3F0A90 0_2_00007FF67A3F0A90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E8A50 0_2_00007FF67A3E8A50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3EBA60 0_2_00007FF67A3EBA60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3BBAF0 0_2_00007FF67A3BBAF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E9FB0 0_2_00007FF67A3E9FB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3A40B0 0_2_00007FF67A3A40B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3F00A8 0_2_00007FF67A3F00A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3EADB0 0_2_00007FF67A3EADB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E1F20 0_2_00007FF67A3E1F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E3360 0_2_00007FF67A3E3360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A406504 0_2_00007FF67A406504
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A39D510 0_2_00007FF67A39D510
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3BE4E0 0_2_00007FF67A3BE4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A41C138 0_2_00007FF67A41C138
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3F2150 0_2_00007FF67A3F2150
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E8210 0_2_00007FF67A3E8210
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E9310 0_2_00007FF67A3E9310
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3912C0 0_2_00007FF67A3912C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3D77F0 0_2_00007FF67A3D77F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A39E5A0 0_2_00007FF67A39E5A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3ACB90 0_2_00007FF67A3ACB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A41EB50 0_2_00007FF67A41EB50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A408C2C 0_2_00007FF67A408C2C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CDBD0 0_2_00007FF67A3CDBD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A423BC0 0_2_00007FF67A423BC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A407CAC 0_2_00007FF67A407CAC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3D3CC0 0_2_00007FF67A3D3CC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3FE9A4 0_2_00007FF67A3FE9A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3DF9C0 0_2_00007FF67A3DF9C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3F49BA 0_2_00007FF67A3F49BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A399A59 0_2_00007FF67A399A59
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A401B14 0_2_00007FF67A401B14
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3FDAC4 0_2_00007FF67A3FDAC4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A409F84 0_2_00007FF67A409F84
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CCF60 0_2_00007FF67A3CCF60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3B6F70 0_2_00007FF67A3B6F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A41EFD0 0_2_00007FF67A41EFD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3D8FD0 0_2_00007FF67A3D8FD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3EE0A0 0_2_00007FF67A3EE0A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3FE10C 0_2_00007FF67A3FE10C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3660C0 0_2_00007FF67A3660C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3B00ED 0_2_00007FF67A3B00ED
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A391D4E 0_2_00007FF67A391D4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3EDD50 0_2_00007FF67A3EDD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3D6D70 0_2_00007FF67A3D6D70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A39AE00 0_2_00007FF67A39AE00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3FBE00 0_2_00007FF67A3FBE00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CFE50 0_2_00007FF67A3CFE50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A410E74 0_2_00007FF67A410E74
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3BAF00 0_2_00007FF67A3BAF00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CDF00 0_2_00007FF67A3CDF00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A397ED0 0_2_00007FF67A397ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A39BEE0 0_2_00007FF67A39BEE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3D4EF0 0_2_00007FF67A3D4EF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3AE419 0_2_00007FF67A3AE419
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A4083D8 0_2_00007FF67A4083D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A366480 0_2_00007FF67A366480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3FE49C 0_2_00007FF67A3FE49C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A40A50C 0_2_00007FF67A40A50C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3AC4E0 0_2_00007FF67A3AC4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3D0180 0_2_00007FF67A3D0180
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A40717C 0_2_00007FF67A40717C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3C5220 0_2_00007FF67A3C5220
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CD260 0_2_00007FF67A3CD260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3D8270 0_2_00007FF67A3D8270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E12F0 0_2_00007FF67A3E12F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E6783 0_2_00007FF67A3E6783
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3877B0 0_2_00007FF67A3877B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E2750 0_2_00007FF67A3E2750
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A389760 0_2_00007FF67A389760
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E6773 0_2_00007FF67A3E6773
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A386770 0_2_00007FF67A386770
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CF820 0_2_00007FF67A3CF820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CD8B0 0_2_00007FF67A3CD8B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A366900 0_2_00007FF67A366900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3FD8DC 0_2_00007FF67A3FD8DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3918F0 0_2_00007FF67A3918F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CD590 0_2_00007FF67A3CD590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3C9600 0_2_00007FF67A3C9600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3DF620 0_2_00007FF67A3DF620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3D0616 0_2_00007FF67A3D0616
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A40762C 0_2_00007FF67A40762C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E45D0 0_2_00007FF67A3E45D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3D66D0 0_2_00007FF67A3D66D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3FD6F4 0_2_00007FF67A3FD6F4
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00007FF67A396990 appears 41 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00007FF67A38D510 appears 63 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00007FF67A391D20 appears 56 times
Source: classification engine Classification label: mal88.troj.spyw.winEXE@1/0@1/2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A39E5A0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF67A39E5A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CF820 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF67A3CF820
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E69639C5D69E2
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: --help
Source: file.exe String found in binary or memory: --help
Source: file.exe String found in binary or memory: --help
Source: file.exe String found in binary or memory: --help
Source: file.exe String found in binary or memory: ipportgrabber_max_sizeextensionslinksbuild_nameself_destructtype must be boolean, but is type must be number, but is 0123456789ABCDEFntdll.dllFile DownloaderabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'runasopen bad variant accessfalsetrueBad any_cast[VAR... , [default: [required][nargs: or more] ..[nargs= to or more provided. argument(s) expected. : required.: no value provided.-=--help-hshows help message and exits--version-vprints version information and exitsNo such argument:
Source: file.exe String found in binary or memory: ipportgrabber_max_sizeextensionslinksbuild_nameself_destructtype must be boolean, but is type must be number, but is 0123456789ABCDEFntdll.dllFile DownloaderabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'runasopen bad variant accessfalsetrueBad any_cast[VAR... , [default: [required][nargs: or more] ..[nargs= to or more provided. argument(s) expected. : required.: no value provided.-=--help-hshows help message and exits--version-vprints version information and exitsNo such argument:
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static file information: File size 1117696 > 1048576
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A39D510 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF67A39D510
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CCBB4 push rsp; retf 0_2_00007FF67A3CCBB5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CCBB0 push rsp; retf 0_2_00007FF67A3CCBB1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CCBAC push rsp; retf 0_2_00007FF67A3CCBAD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CCBC4 push rsp; retf 0_2_00007FF67A3CCBC5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CCBC0 push rsp; retf 0_2_00007FF67A3CCBC1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CCBBC push rsp; retf 0_2_00007FF67A3CCBBD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CCBB8 push rsp; retf 0_2_00007FF67A3CCBB9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3CCB00 push rsp; retf 0_2_00007FF67A3CCBA1
Terminates after testing mutex exists (may check infected machine status)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3D77F0 _invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,ExitProcess,ExitProcess,OpenMutexA,ExitProcess,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF67A3D77F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A41C088 FindClose,FindFirstFileExW,GetLastError, 0_2_00007FF67A41C088
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A41C138 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 0_2_00007FF67A41C138
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3EAB00 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF67A3EAB00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A400220 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 0_2_00007FF67A400220
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Source: file.exe, 00000000.00000002.1960242626.000002653CD8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: file.exe, 00000000.00000003.1808862334.000002653CDF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1960242626.000002653CDDC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.1808862334.000002653CDF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1960242626.000002653CDDC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW&
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3EDD50 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 0_2_00007FF67A3EDD50
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3F8A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF67A3F8A38
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A41E2B0 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF67A41E2B0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A39D510 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 0_2_00007FF67A39D510
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3F8A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF67A3F8A38
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A415870 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF67A415870
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00007FF67A40FBB4
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00007FF67A404B68
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_00007FF67A41BC84
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00007FF67A40FAE4
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00007FF67A40FFF0
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00007FF67A4050AC
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF67A4101CC
Source: C:\Users\user\Desktop\file.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00007FF67A40F798
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries time zone information
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A416328 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF67A416328
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A3E9A60 GetUserNameW, 0_2_00007FF67A3E9A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF67A409D08 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF67A409D08

Stealing of Sensitive Information
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: file.exe PID: 6776, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6776, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.1960242626.000002653CD8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum\wallets
Source: file.exe, 00000000.00000002.1960242626.000002653CD8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectronCash\wallets
Source: file.exe, 00000000.00000003.1830214172.000002653CE43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K
Source: file.exe, 00000000.00000003.1825279613.000002653CE43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walleta\
Source: file.exe, 00000000.00000003.1825279613.000002653CE43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walleta\
Source: file.exe, 00000000.00000002.1960242626.000002653CD8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Source: file.exe, 00000000.00000002.1960242626.000002653CD8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: file.exe PID: 6776, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6776, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520644 Sample: file.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 88 10 api.ipify.org 2->10 16 Suricata IDS alerts for network traffic 2->16 18 Yara detected CredGrabber 2->18 20 Yara detected Meduza Stealer 2->20 22 2 other signatures 2->22 6 file.exe 6 2->6         started        signatures3 process4 dnsIp5 12 176.124.204.206, 15666, 49730 GULFSTREAMUA Russian Federation 6->12 14 api.ipify.org 172.67.74.152, 443, 49731 CLOUDFLARENETUS United States 6->14 24 Tries to steal Mail credentials (via file / registry access) 6->24 26 Found many strings related to Crypto-Wallets (likely being stolen) 6->26 28 Tries to harvest and steal browser information (history, passwords, etc) 6->28 30 Tries to harvest and steal Bitcoin Wallet information 6->30 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.124.204.206
 unknown Russian Federation
59652 GULFSTREAMUA true
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 172.67.74.152 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown