Windows Analysis Report
OPyF68i97j.exe

Overview

General Information

Sample name: OPyF68i97j.exe
renamed because original name is a hash value
Original sample name: 84f6d402fc4b76b949a893344b73ae1b4abb21dc9989745728cd18c92991e0ae.exe
Analysis ID: 1524406
MD5: 048fe750e586bce2fe5c5f0c77dd208f
SHA1: cc82bb9ec77116cdea64b52aed1417ff2389b925
SHA256: 84f6d402fc4b76b949a893344b73ae1b4abb21dc9989745728cd18c92991e0ae
Tags: exewww-uvfr4ep-comuser-JAMESWT_MHT
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Uses schtasks.exe or at.exe to add and modify task schedules
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: OPyF68i97j.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\Logs\logs\rw32core.dll Avira: detection malicious, Label: TR/Agent.zottn
Multi AV Scanner detection for dropped file
Source: C:\Windows\Logs\logs\Secur32.dll ReversingLabs: Detection: 78%
Source: C:\Windows\Logs\logs\rw32core.dll ReversingLabs: Detection: 87%
Multi AV Scanner detection for submitted file
Source: OPyF68i97j.exe ReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Windows\Logs\logs\Secur32.dll Joe Sandbox ML: detected
Source: C:\Windows\Logs\logs\rw32core.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: OPyF68i97j.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: OPyF68i97j.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: OPyF68i97j.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: consent.pdb source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr
Source: Binary string: consent.pdbW3 source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00492AF0 FindFirstFileW,FindClose, 0_2_00492AF0
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose, 0_2_004929F0
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_00492AF0 FindFirstFileW,FindClose, 4_2_00492AF0
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose, 4_2_004929F0
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_004113F4 FindFirstFileA,FindNextFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime, 14_2_004113F4
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0040B703 FindFirstFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 14_2_0040B703
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01225BB6 FindFirstFileExW, 14_2_01225BB6
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_013392EB FindFirstFileExW, 14_2_013392EB
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01322760 SHGetValueA,CoCreateGuid,wsprintfA,SHSetValueA,GetComputerNameA,GetUserNameA,lstrlenA,GlobalMemoryStatusEx,__aulldiv,GetLogicalDriveStringsA,GetDriveTypeA,GetDiskFreeSpaceExA,RegOpenKeyExA,RegQueryValueExA,GetNativeSystemInfo,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument, 14_2_01322760

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 114.55.25.226 ports 8443,8080,1,2,443,80,53,21
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49708 -> 114.55.25.226:8080
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 114.55.25.226:53
Source: global traffic TCP traffic: 192.168.2.5:49749 -> 114.55.25.226:53
Source: global traffic TCP traffic: 192.168.2.5:49736 -> 114.55.25.226:53
Source: global traffic TCP traffic: 192.168.2.5:49723 -> 114.55.25.226:53
Source: global traffic TCP traffic: 192.168.2.5:49767 -> 114.55.25.226:53
Source: global traffic TCP traffic: 192.168.2.5:49755 -> 114.55.25.226:53
Source: global traffic TCP traffic: 192.168.2.5:49743 -> 114.55.25.226:53
Source: global traffic TCP traffic: 192.168.2.5:49717 -> 114.55.25.226:53
Source: global traffic TCP traffic: 192.168.2.5:49730 -> 114.55.25.226:53
Source: global traffic TCP traffic: 192.168.2.5:49773 -> 114.55.25.226:53
Source: global traffic TCP traffic: 192.168.2.5:49761 -> 114.55.25.226:53
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0132AEF0 Sleep,recv,recv, 14_2_0132AEF0
Source: global traffic DNS traffic detected: DNS query: www.uvfr4ep.com
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr String found in binary or memory: http://ocsp.thawte.com0
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Contains functionality to launch a process as a different user
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01323700 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,WTSEnumerateSessionsA,WTSQuerySessionInformationA,lstrcpyA,WTSFreeMemory,lstrcmpA,WTSFreeMemory,GetCurrentProcess,WTSQueryUserToken,DuplicateTokenEx,SetTokenInformation,CreateProcessAsUserA,CreateThread, 14_2_01323700
Creates files inside the system directory
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\ Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\brcc.exe Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\rw32core.dll Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\consent.exe Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\Secur32.dll Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_004A321C 0_2_004A321C
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00497563 0_2_00497563
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_004A4B22 0_2_004A4B22
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_004A333C 0_2_004A333C
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_0049FD30 0_2_0049FD30
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_004A01C8 0_2_004A01C8
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00497795 0_2_00497795
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_004A321C 4_2_004A321C
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_00497563 4_2_00497563
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_004A4B22 4_2_004A4B22
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_004A333C 4_2_004A333C
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_0049FD30 4_2_0049FD30
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_004A01C8 4_2_004A01C8
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_00497795 4_2_00497795
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_00413000 14_2_00413000
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01221670 14_2_01221670
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01221000 14_2_01221000
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0122BB81 14_2_0122BB81
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0132ACB0 14_2_0132ACB0
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_013329E5 14_2_013329E5
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0132A880 14_2_0132A880
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0133BB20 14_2_0133BB20
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_013403FD 14_2_013403FD
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01326240 14_2_01326240
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0133ED9C 14_2_0133ED9C
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0133EC7C 14_2_0133EC7C
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_013327B3 14_2_013327B3
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0133BFB8 14_2_0133BFB8
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01341640 14_2_01341640
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01325ED0 14_2_01325ED0
Found potential string decryption / allocating functions
Source: C:\Windows\Logs\logs\brcc.exe Code function: String function: 0132EA20 appears 37 times
Source: C:\Windows\Logs\logs\brcc.exe Code function: String function: 0041A7D4 appears 70 times
Sample file is different than original file name gathered from version info
Source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameconsent.exej% vs OPyF68i97j.exe
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBRCC32.EXE. vs OPyF68i97j.exe
Uses 32bit PE files
Source: OPyF68i97j.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@23/4@2/1
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01322760 SHGetValueA,CoCreateGuid,wsprintfA,SHSetValueA,GetComputerNameA,GetUserNameA,lstrlenA,GlobalMemoryStatusEx,__aulldiv,GetLogicalDriveStringsA,GetDriveTypeA,GetDiskFreeSpaceExA,RegOpenKeyExA,RegQueryValueExA,GetNativeSystemInfo,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument, 14_2_01322760
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: wsprintfW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateServiceW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,RegOpenKeyExW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,RegSetValueExW,RegSetValueExW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,RegSetValueExW,RegCloseKey,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_004921C0
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: wsprintfW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateServiceW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,RegOpenKeyExW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,RegSetValueExW,RegSetValueExW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,RegSetValueExW,RegCloseKey,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 4_2_004921C0
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00491DA0 CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,TerminateProcess,Process32Next,CloseHandle,CloseHandle, 0_2_00491DA0
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00491B20 GetModuleFileNameW,ExitProcess,OpenSCManagerW,OpenServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,ExitProcess, 0_2_00491B20
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00492B40 StartServiceCtrlDispatcherW, 0_2_00492B40
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_00492B40 StartServiceCtrlDispatcherW, 4_2_00492B40
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3556:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
Source: C:\Users\user\Desktop\OPyF68i97j.exe Mutant created: \Sessions\1\BaseNamedObjects\userResideVirtual1
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7160:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6004:120:WilError_03
Source: C:\Windows\Logs\logs\brcc.exe Mutant created: \BaseNamedObjects\askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG
Source: C:\Users\user\Desktop\OPyF68i97j.exe Mutant created: \BaseNamedObjects\SYSTEMResideVirtual0
Source: OPyF68i97j.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OPyF68i97j.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OPyF68i97j.exe ReversingLabs: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\OPyF68i97j.exe "C:\Users\user\Desktop\OPyF68i97j.exe"
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices"
Source: unknown Process created: C:\Users\user\Desktop\OPyF68i97j.exe "C:\Users\user\Desktop\OPyF68i97j.exe" -service
Source: unknown Process created: C:\Users\user\Desktop\OPyF68i97j.exe C:\Users\user\Desktop\OPyF68i97j.exe
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices"
Source: unknown Process created: C:\Users\user\Desktop\OPyF68i97j.exe C:\Users\user\Desktop\OPyF68i97j.exe
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices"
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\Logs\logs\brcc.exe "C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG
Source: C:\Windows\Logs\logs\brcc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices" Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\Logs\logs\brcc.exe "C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices" Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices" Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: rw32core.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: OPyF68i97j.exe Static file information: File size 4323328 > 1048576
Source: OPyF68i97j.exe Static PE information: Raw size of .Net is bigger than: 0x100000 < 0x200000
Source: OPyF68i97j.exe Static PE information: Raw size of .Fun is bigger than: 0x100000 < 0x200000
Source: OPyF68i97j.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: OPyF68i97j.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: consent.pdb source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr
Source: Binary string: consent.pdbW3 source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr
Binary contains a suspicious time stamp
Source: brcc.exe.4.dr Static PE information: 0x9CE02625 [Tue May 27 05:12:05 2053 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0040A155 LoadLibraryA,GetProcAddress, 14_2_0040A155
PE file contains sections with non-standard names
Source: OPyF68i97j.exe Static PE information: section name: .Config
Source: OPyF68i97j.exe Static PE information: section name: .Net
Source: OPyF68i97j.exe Static PE information: section name: .Fun
Source: rw32core.dll.4.dr Static PE information: section name: .pe
Source: consent.exe.4.dr Static PE information: section name: consent
Source: Secur32.dll.4.dr Static PE information: section name: .pe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_00421BC5 push eax; ret 14_2_00421C01
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_00422D95 push ebp; retf 14_2_00422DA4
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0040E6CA push eax; ret 14_2_0040E7B3
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_012226C6 push ecx; ret 14_2_012226D9
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0132EA66 push ecx; ret 14_2_0132EA79

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\OPyF68i97j.exe Executable created and started: C:\Windows\Logs\logs\brcc.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\rw32core.dll Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\Secur32.dll Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\brcc.exe Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\consent.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\rw32core.dll Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\Secur32.dll Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\brcc.exe Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe File created: C:\Windows\Logs\logs\consent.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f
Creates or modifies windows services
Source: C:\Users\user\Desktop\OPyF68i97j.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DISMsrv Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00491B20 GetModuleFileNameW,ExitProcess,OpenSCManagerW,OpenServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,ExitProcess, 0_2_00491B20

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\OPyF68i97j.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\Logs\logs\brcc.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\Logs\logs\brcc.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\OPyF68i97j.exe Dropped PE file which has not been started: C:\Windows\Logs\logs\Secur32.dll Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe Dropped PE file which has not been started: C:\Windows\Logs\logs\consent.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\OPyF68i97j.exe TID: 1488 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe TID: 1488 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe TID: 1476 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe TID: 1220 Thread sleep count: 78 > 30 Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe TID: 1220 Thread sleep time: -78000s >= -30000s Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe TID: 1220 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe TID: 1476 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\OPyF68i97j.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Logs\logs\brcc.exe Last function: Thread delayed
Source: C:\Windows\Logs\logs\brcc.exe Last function: Thread delayed
Source: C:\Windows\Logs\logs\brcc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00492AF0 FindFirstFileW,FindClose, 0_2_00492AF0
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose, 0_2_004929F0
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_00492AF0 FindFirstFileW,FindClose, 4_2_00492AF0
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose, 4_2_004929F0
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_004113F4 FindFirstFileA,FindNextFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime, 14_2_004113F4
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0040B703 FindFirstFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, 14_2_0040B703
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01225BB6 FindFirstFileExW, 14_2_01225BB6
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_013392EB FindFirstFileExW, 14_2_013392EB
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01322760 SHGetValueA,CoCreateGuid,wsprintfA,SHSetValueA,GetComputerNameA,GetUserNameA,lstrlenA,GlobalMemoryStatusEx,__aulldiv,GetLogicalDriveStringsA,GetDriveTypeA,GetDiskFreeSpaceExA,RegOpenKeyExA,RegQueryValueExA,GetNativeSystemInfo,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument, 14_2_01322760
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_00405918 GetSystemInfo, 14_2_00405918
Source: C:\Users\user\Desktop\OPyF68i97j.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe Thread delayed: delay time: 60000 Jump to behavior
Source: brcc.exe, 0000000E.00000002.3890021723.00000000004FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: C:\Users\user\Desktop\OPyF68i97j.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\OPyF68i97j.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\OPyF68i97j.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\OPyF68i97j.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\OPyF68i97j.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\OPyF68i97j.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\OPyF68i97j.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Logs\logs\brcc.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Logs\logs\brcc.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Logs\logs\brcc.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Logs\logs\brcc.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Logs\logs\brcc.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_004983A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004983A8
Contains functionality to dynamically determine API calls
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0040A155 LoadLibraryA,GetProcAddress, 14_2_0040A155
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_0049D843 mov eax, dword ptr fs:[00000030h] 0_2_0049D843
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_0049901C mov eax, dword ptr fs:[00000030h] 0_2_0049901C
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_0049D843 mov eax, dword ptr fs:[00000030h] 4_2_0049D843
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_0049901C mov eax, dword ptr fs:[00000030h] 4_2_0049901C
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_00406F0A mov eax, dword ptr fs:[00000030h] 14_2_00406F0A
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0122431D mov eax, dword ptr fs:[00000030h] 14_2_0122431D
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_012254CD mov eax, dword ptr fs:[00000030h] 14_2_012254CD
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_013377BD mov eax, dword ptr fs:[00000030h] 14_2_013377BD
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01337801 mov eax, dword ptr fs:[00000030h] 14_2_01337801
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01333CD4 mov eax, dword ptr fs:[00000030h] 14_2_01333CD4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_012270E0 GetProcessHeap, 14_2_012270E0
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00492DDF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00492DDF
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_004983A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004983A8
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_00492DDF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00492DDF
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 4_2_004983A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_004983A8
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01221CBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_01221CBF
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_012224F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_012224F8
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_012254FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_012254FE
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0132E972 SetUnhandledExceptionFilter, 14_2_0132E972
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0132E810 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_0132E810
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0132DF42 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 14_2_0132DF42
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_01331654 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_01331654
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\OPyF68i97j.exe Process created: C:\Windows\Logs\logs\brcc.exe "C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00491930 ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,OpenProcessToken,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,RevertToSelf,LocalFree,LocalFree,FreeSid, 0_2_00491930
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00491930 ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,OpenProcessToken,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,RevertToSelf,LocalFree,LocalFree,FreeSid, 0_2_00491930
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_012226DC cpuid 14_2_012226DC
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_004935E1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_004935E1
Source: C:\Users\user\Desktop\OPyF68i97j.exe Code function: 0_2_00491E90 GetCurrentProcessId,ProcessIdToSessionId,GetUserNameA,lstrcatA,lstrcpyA,ReleaseMutex,CloseHandle,CreateMutexA,GetModuleFileNameA,WinExec,WinExec,WinExec,GetCurrentProcessId,ExitProcess, 0_2_00491E90
Source: C:\Windows\Logs\logs\brcc.exe Code function: 14_2_0040596F GetVersion, 14_2_0040596F
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524406 Sample: OPyF68i97j.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 48 www.uvfr4ep.com 2->48 50 edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->50 52 default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 2->52 56 Antivirus detection for dropped file 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 6 other signatures 2->62 8 OPyF68i97j.exe 5 2->8         started        12 OPyF68i97j.exe 1 1 2->12         started        14 OPyF68i97j.exe 1 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 40 C:\Windows\Logs\logs\rw32core.dll, PE32 8->40 dropped 42 C:\Windows\Logs\logs\consent.exe, PE32 8->42 dropped 44 C:\Windows\Logs\logs\brcc.exe, PE32 8->44 dropped 46 C:\Windows\Logs\logs\Secur32.dll, PE32 8->46 dropped 66 Drops executables to the windows directory (C:\Windows) and starts them 8->66 18 brcc.exe 1 1 8->18         started        68 Found evasive API chain (may stop execution after checking mutex) 12->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 12->70 22 conhost.exe 12->22         started        36 2 other processes 12->36 24 conhost.exe 14->24         started        26 schtasks.exe 1 14->26         started        28 schtasks.exe 1 14->28         started        30 conhost.exe 16->30         started        32 schtasks.exe 1 16->32         started        34 schtasks.exe 1 16->34         started        signatures6 process7 dnsIp8 54 www.uvfr4ep.com 114.55.25.226, 21, 443, 49704 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 18->54 64 Found evasive API chain (may stop execution after checking mutex) 18->64 38 conhost.exe 18->38         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
114.55.25.226
 www.uvfr4ep.com China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true

Contacted Domains

Name IP Active
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com 217.20.57.27 true
www.uvfr4ep.com 114.55.25.226 true