Windows Analysis Report
JpQFDOA7Uk.exe

Overview

General Information

Sample name: JpQFDOA7Uk.exe
renamed because original name is a hash value
Original sample name: de0b74917fe24c2b38e2d1172b7352f88bf8b3df64b6d44ca5f317db85aeb324.exe
Analysis ID: 1526557
MD5: 4e66429d85967e344d8354e9b81719dc
SHA1: b958fb7241cc9675b8dd967b02df6a6ad92de52d
SHA256: de0b74917fe24c2b38e2d1172b7352f88bf8b3df64b6d44ca5f317db85aeb324
Tags: DoubleFaceTeamexeuser-JAMESWT_MHT
Infos:

Detection

Score: 54
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found stalling execution ending in API Sleep call
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sleep loop found (likely to delay execution)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: JpQFDOA7Uk.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: JpQFDOA7Uk.exe ReversingLabs: Detection: 76%
Source: JpQFDOA7Uk.exe Virustotal: Detection: 81% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.2% probability
Uses 32bit PE files
Source: JpQFDOA7Uk.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\.ms-ad\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\3D Objects\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Contacts\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\BJZFPPWAPT\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\EIVQSAOTAQ\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\EWZCVGNOWT\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\GRXZDKKVDB\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\LIJDSFKJZG\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\NWCXBPIUYI\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\NYMMPCEIMA\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\PALRGUCVEH\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\VWDFPKGDUF\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\BJZFPPWAPT\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\EIVQSAOTAQ\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\EWZCVGNOWT\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\GRXZDKKVDB\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\LIJDSFKJZG\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\NWCXBPIUYI\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\NYMMPCEIMA\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\PALRGUCVEH\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\VWDFPKGDUF\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Downloads\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Favorites\Links\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Favorites\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Links\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Music\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\OneDrive\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Pictures\Camera Roll\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Pictures\Saved Pictures\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Pictures\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Recent\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Saved Games\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Searches\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Videos\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\Documents\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\Downloads\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\Music\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\Pictures\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\Videos\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\CyberVolk_ReadMe.txt Jump to behavior
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_00422120 GetSystemDirectoryW,wsprintfW,wsprintfW,GetFileAttributesW,wsprintfW,FindFirstFileW,Sleep,FindNextFileW,FindClose,DeleteFileW,FindClose, 0_2_00422120
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: JpQFDOA7Uk.exe, CyberVolk_ReadMe.txt42.0.dr, CyberVolk_ReadMe.txt16.0.dr, CyberVolk_ReadMe.txt35.0.dr, CyberVolk_ReadMe.txt19.0.dr, CyberVolk_ReadMe.txt29.0.dr, CyberVolk_ReadMe.txt25.0.dr, CyberVolk_ReadMe.txt5.0.dr, CyberVolk_ReadMe.txt8.0.dr, CyberVolk_ReadMe.txt10.0.dr, CyberVolk_ReadMe.txt28.0.dr, CyberVolk_ReadMe.txt33.0.dr, CyberVolk_ReadMe.txt11.0.dr, CyberVolk_ReadMe.txt22.0.dr, CyberVolk_ReadMe.txt37.0.dr, CyberVolk_ReadMe.txt12.0.dr, CyberVolk_ReadMe.txt32.0.dr, CyberVolk_ReadMe.txt18.0.dr, CyberVolk_ReadMe.txt24.0.dr, CyberVolk_ReadMe.txt.0.dr, CyberVolk_ReadMe.txt1.0.dr String found in binary or memory: https://t.me/cubervolk
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_004217D0 SHGetFolderPathA,SHGetFolderPathA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SetWindowPos,SetTimer,GetWindowLongW,LoadBitmapW,BeginPaint,CreateCompatibleDC,SelectObject,SelectObject,GetObjectW,BitBlt,SetTextColor,SetBkMode,SetRect,CreateFontA,SelectObject,DrawTextA,SelectObject,DeleteDC,EndPaint,GetDlgItem,GetDlgItem,ShowWindow,ShowWindow,GetDlgItem,ShowWindow,GetWindowLongW,LoadBitmapW,BeginPaint,CreateCompatibleDC,SelectObject,SelectObject,GetObjectW,BitBlt,SetTextColor,SetBkMode,SetRect,CreateFontA,SelectObject,DrawTextA,SelectObject,DeleteDC,EndPaint,MessageBoxW,GetDlgItemTextA,MessageBoxA,SHGetFolderPathA,EndDialog,GlobalAlloc,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,InvalidateRect,KillTimer,SHGetFolderPathA,MessageBoxW, 0_2_004217D0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_004217D0 SHGetFolderPathA,SHGetFolderPathA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SetWindowPos,SetTimer,GetWindowLongW,LoadBitmapW,BeginPaint,CreateCompatibleDC,SelectObject,SelectObject,GetObjectW,BitBlt,SetTextColor,SetBkMode,SetRect,CreateFontA,SelectObject,DrawTextA,SelectObject,DeleteDC,EndPaint,GetDlgItem,GetDlgItem,ShowWindow,ShowWindow,GetDlgItem,ShowWindow,GetWindowLongW,LoadBitmapW,BeginPaint,CreateCompatibleDC,SelectObject,SelectObject,GetObjectW,BitBlt,SetTextColor,SetBkMode,SetRect,CreateFontA,SelectObject,DrawTextA,SelectObject,DeleteDC,EndPaint,MessageBoxW,GetDlgItemTextA,MessageBoxA,SHGetFolderPathA,EndDialog,GlobalAlloc,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,InvalidateRect,KillTimer,SHGetFolderPathA,MessageBoxW, 0_2_004217D0

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File deleted: C:\Users\user\Desktop\PALRGUCVEH\ZIPXYXWIOY.png Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File deleted: C:\Users\user\Desktop\GIGIYTFFYT.pdf Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File deleted: C:\Users\user\Desktop\PALRGUCVEH\PALRGUCVEH.docx Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File deleted: C:\Users\user\Desktop\PALRGUCVEH.docx Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File deleted: C:\Users\user\Desktop\PALRGUCVEH\GIGIYTFFYT.pdf Jump to behavior
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File dropped: C:\Users\user\Desktop\BJZFPPWAPT\CyberVolk_ReadMe.txt -> greetings. all your files have been encrypted by cybervolk ransomware. please never try to recover your files without decryption key which i give you after pay. they could be disappeared?you should follow my words.pay $1000 btc to below address.my telegram : @hacker7our team : https://t.me/cubervolkwe always welcome you and your payment. Jump to dropped file
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File dropped: C:\Users\user\.ms-ad\CyberVolk_ReadMe.txt -> greetings. all your files have been encrypted by cybervolk ransomware. please never try to recover your files without decryption key which i give you after pay. they could be disappeared?you should follow my words.pay $1000 btc to below address.my telegram : @hacker7our team : https://t.me/cubervolkwe always welcome you and your payment. Jump to dropped file
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File dropped: C:\Users\user\Downloads\CyberVolk_ReadMe.txt -> greetings. all your files have been encrypted by cybervolk ransomware. please never try to recover your files without decryption key which i give you after pay. they could be disappeared?you should follow my words.pay $1000 btc to below address.my telegram : @hacker7our team : https://t.me/cubervolkwe always welcome you and your payment. Jump to dropped file
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File dropped: C:\Users\user\3D Objects\CyberVolk_ReadMe.txt -> greetings. all your files have been encrypted by cybervolk ransomware. please never try to recover your files without decryption key which i give you after pay. they could be disappeared?you should follow my words.pay $1000 btc to below address.my telegram : @hacker7our team : https://t.me/cubervolkwe always welcome you and your payment. Jump to dropped file
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File dropped: C:\Users\user\Contacts\CyberVolk_ReadMe.txt -> greetings. all your files have been encrypted by cybervolk ransomware. please never try to recover your files without decryption key which i give you after pay. they could be disappeared?you should follow my words.pay $1000 btc to below address.my telegram : @hacker7our team : https://t.me/cubervolkwe always welcome you and your payment. Jump to dropped file
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File dropped: C:\Users\user\Desktop\EIVQSAOTAQ\CyberVolk_ReadMe.txt -> greetings. all your files have been encrypted by cybervolk ransomware. please never try to recover your files without decryption key which i give you after pay. they could be disappeared?you should follow my words.pay $1000 btc to below address.my telegram : @hacker7our team : https://t.me/cubervolkwe always welcome you and your payment. Jump to dropped file
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File dropped: C:\Users\user\Desktop\EWZCVGNOWT\CyberVolk_ReadMe.txt -> greetings. all your files have been encrypted by cybervolk ransomware. please never try to recover your files without decryption key which i give you after pay. they could be disappeared?you should follow my words.pay $1000 btc to below address.my telegram : @hacker7our team : https://t.me/cubervolkwe always welcome you and your payment. Jump to dropped file
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File dropped: C:\Users\user\Favorites\Links\CyberVolk_ReadMe.txt -> greetings. all your files have been encrypted by cybervolk ransomware. please never try to recover your files without decryption key which i give you after pay. they could be disappeared?you should follow my words.pay $1000 btc to below address.my telegram : @hacker7our team : https://t.me/cubervolkwe always welcome you and your payment. Jump to dropped file
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File dropped: C:\Users\user\Favorites\CyberVolk_ReadMe.txt -> greetings. all your files have been encrypted by cybervolk ransomware. please never try to recover your files without decryption key which i give you after pay. they could be disappeared?you should follow my words.pay $1000 btc to below address.my telegram : @hacker7our team : https://t.me/cubervolkwe always welcome you and your payment. Jump to dropped file
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File dropped: C:\Users\user\Desktop\GRXZDKKVDB\CyberVolk_ReadMe.txt -> greetings. all your files have been encrypted by cybervolk ransomware. please never try to recover your files without decryption key which i give you after pay. they could be disappeared?you should follow my words.pay $1000 btc to below address.my telegram : @hacker7our team : https://t.me/cubervolkwe always welcome you and your payment. Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_0041F230 0_2_0041F230
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_0040846E 0_2_0040846E
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_00418CDF 0_2_00418CDF
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_00414090 0_2_00414090
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_0041FD70 0_2_0041FD70
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_0040812C 0_2_0040812C
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_0041453B 0_2_0041453B
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_0041B9D0 0_2_0041B9D0
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_004087CD 0_2_004087CD
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_0041CBA0 0_2_0041CBA0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: String function: 00420F20 appears 52 times
Uses 32bit PE files
Source: JpQFDOA7Uk.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf.CyberVolk.0.dr Binary string: \Device\HarddiskVolume3\Users\user\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
Source: classification engine Classification label: mal54.rans.evad.winEXE@2/183@1/0
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\.curlrc.CyberVolk Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\AppData\Local\Temp\tmp.bmp Jump to behavior
Source: JpQFDOA7Uk.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File read: C:\Users\user\3D Objects\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: JpQFDOA7Uk.exe ReversingLabs: Detection: 76%
Source: JpQFDOA7Uk.exe Virustotal: Detection: 81%
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File read: C:\Users\user\Desktop\JpQFDOA7Uk.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\JpQFDOA7Uk.exe "C:\Users\user\Desktop\JpQFDOA7Uk.exe"
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Automated click: OK
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Automated click: OK
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Automated click: OK
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Automated click: OK
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Automated click: OK
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: JpQFDOA7Uk.exe Static file information: File size 8167424 > 1048576
Source: JpQFDOA7Uk.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x79ea00
Source: JpQFDOA7Uk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_004193F1 push ecx; ret 0_2_00419404
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\.ms-ad\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\3D Objects\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Contacts\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\BJZFPPWAPT\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\EIVQSAOTAQ\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\EWZCVGNOWT\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\GRXZDKKVDB\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\LIJDSFKJZG\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\NWCXBPIUYI\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\NYMMPCEIMA\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\PALRGUCVEH\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\VWDFPKGDUF\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Desktop\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\BJZFPPWAPT\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\EIVQSAOTAQ\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\EWZCVGNOWT\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\GRXZDKKVDB\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\LIJDSFKJZG\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\NWCXBPIUYI\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\NYMMPCEIMA\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\PALRGUCVEH\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\VWDFPKGDUF\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Documents\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Downloads\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Favorites\Links\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Favorites\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Links\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Music\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\OneDrive\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Pictures\Camera Roll\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Pictures\Saved Pictures\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Pictures\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Recent\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Saved Games\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Searches\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\Videos\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\user\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\Documents\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\Downloads\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\Music\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\Pictures\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\Videos\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\Public\CyberVolk_ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe File created: C:\Users\CyberVolk_ReadMe.txt Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Stalling execution: Execution stalls by calling Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Window / User API: threadDelayed 4053 Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Window / User API: threadDelayed 406 Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Window / User API: threadDelayed 1058 Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Window / User API: threadDelayed 364 Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Window / User API: threadDelayed 3334 Jump to behavior
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 586 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe TID: 6500 Thread sleep time: -4053000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe TID: 6500 Thread sleep time: -3334000s >= -30000s Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Thread sleep count: Count: 1058 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_00422120 GetSystemDirectoryW,wsprintfW,wsprintfW,GetFileAttributesW,wsprintfW,FindFirstFileW,Sleep,FindNextFileW,FindClose,DeleteFileW,FindClose, 0_2_00422120
Source: JpQFDOA7Uk.exe.CyberVolk.0.dr Binary or memory string: TnzRmwSovMci8KR 06
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_0040DC1C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040DC1C
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_00401C7A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00401C7A
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_0040DC1C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040DC1C
Source: C:\Users\user\Desktop\JpQFDOA7Uk.exe Code function: 0_2_004015F7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_004015F7
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526557 Sample: JpQFDOA7Uk.exe Startdate: 06/10/2024 Architecture: WINDOWS Score: 54 21 241.42.69.40.in-addr.arpa 2->21 23 Antivirus / Scanner detection for submitted sample 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 AI detected suspicious sample 2->27 7 JpQFDOA7Uk.exe 183 2->7         started        signatures3 process4 file5 13 C:\Users\user\...\CyberVolk_ReadMe.txt, ASCII 7->13 dropped 15 C:\Users\user\...\CyberVolk_ReadMe.txt, ASCII 7->15 dropped 17 C:\Users\user\...\CyberVolk_ReadMe.txt, ASCII 7->17 dropped 19 8 other malicious files 7->19 dropped 29 Found stalling execution ending in API Sleep call 7->29 31 Writes a notice file (html or txt) to demand a ransom 7->31 33 Modifies existing user documents (likely ransomware behavior) 7->33 11 conhost.exe 7->11         started        signatures6 process7
No contacted IP infos

Contacted Domains

Name IP Active
241.42.69.40.in-addr.arpa unknown unknown