Source: file.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Yara match |
File source: file.exe, type: SAMPLE |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 6884, type: MEMORYSTR |
Source: file.exe, type: SAMPLE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: file.exe, type: SAMPLE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 1.2.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 1.2.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 1.2.file.exe.3520c0.1.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 1.2.file.exe.3520c0.1.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 1.0.file.exe.3520c0.1.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 1.0.file.exe.3520c0.1.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 1.0.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 1.0.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 1.2.file.exe.340000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 1.2.file.exe.340000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: 1.0.file.exe.340000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab Payload Author: kevoreilly |
Source: 1.0.file.exe.340000.0.unpack, type: UNPACKEDPE |
Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00349831 |
1_2_00349831 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00348052 |
1_2_00348052 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00347AE0 |
1_2_00347AE0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_0034693C |
1_2_0034693C |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_0034A79D |
1_2_0034A79D |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00341D9B |
1_2_00341D9B |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_003485C4 |
1_2_003485C4 |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 280 |
Source: file.exe, type: SAMPLE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: file.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 1.2.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 1.2.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 1.2.file.exe.3520c0.1.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 1.2.file.exe.3520c0.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 1.0.file.exe.3520c0.1.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 1.0.file.exe.3520c0.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 1.0.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 1.0.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 1.2.file.exe.340000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 1.2.file.exe.340000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: 1.0.file.exe.340000.0.unpack, type: UNPACKEDPE |
Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload |
Source: 1.0.file.exe.340000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts |
Source: classification engine |
Classification label: mal88.rans.evad.winEXE@2/5@0/0 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6884 |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6884 -s 280 |
Source: file.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Yara match |
File source: file.exe, type: SAMPLE |
Source: Yara match |
File source: 1.2.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.file.exe.3520c0.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.file.exe.3520c0.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.file.exe.3520c0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.file.exe.340000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.0.file.exe.340000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.2310972685.0000000000352000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000001.00000000.2280026514.0000000000351000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 6884, type: MEMORYSTR |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00341D9B EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
1_2_00341D9B |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.4.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.4.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.4.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.4.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20 |
Source: Amcache.hve.4.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.4.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.4.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.4.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.4.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.4.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.4.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.4.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.4.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.4.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.4.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.4.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.4.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.4.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.4.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Users\user\Desktop\file.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_00344D5A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
1_2_00344D5A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_003432F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_003432F8 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_003432C7 SetUnhandledExceptionFilter, |
1_2_003432C7 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 1_2_003427C0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
1_2_003427C0 |
Source: Amcache.hve.4.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.4.dr |
Binary or memory string: msmpeng.exe |
Source: Amcache.hve.4.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.4.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe |
Source: Amcache.hve.4.dr |
Binary or memory string: MsMpEng.exe |