Source: wSIWW3vyrB.exe |
ReversingLabs: Detection: 42% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.9% probability |
Source: wSIWW3vyrB.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: E.pdb source: wSIWW3vyrB.exe |
Source: |
Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.00000000018C9000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001965000.00000040.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty-agent.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001A11000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001AC3000.00000040.00000001.01000000.00000003.sdmp |
Source: |
Binary string: 4--E.pdb source: wSIWW3vyrB.exe |
Source: global traffic |
TCP traffic: 192.168.2.6:49710 -> 121.41.18.122:3232 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 121.41.18.122 |
Source: classification engine |
Classification label: mal68.troj.winEXE@5/1@0/1 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03 |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
File opened: C:\Windows\system32\69976f7ca267b317d321e50c93ac034a0d061a4d9f77fdb8638bc064d4799cc4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: wSIWW3vyrB.exe |
ReversingLabs: Detection: 42% |
Source: wSIWW3vyrB.exe |
String found in binary or memory: Mask/Addr6 |
Source: unknown |
Process created: C:\Users\user\Desktop\wSIWW3vyrB.exe "C:\Users\user\Desktop\wSIWW3vyrB.exe" |
|
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Process created: C:\Windows\System32\whoami.exe whoami |
|
Source: C:\Windows\System32\whoami.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Process created: C:\Windows\System32\whoami.exe whoami |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: samcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: samlib.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\whoami.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\whoami.exe |
Section loaded: authz.dll |
Jump to behavior |
Source: C:\Windows\System32\whoami.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\whoami.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Windows\System32\whoami.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: wSIWW3vyrB.exe |
Static file information: File size 5939200 > 1048576 |
Source: wSIWW3vyrB.exe |
Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x5a9c00 |
Source: wSIWW3vyrB.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: E.pdb source: wSIWW3vyrB.exe |
Source: |
Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.00000000018C9000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001965000.00000040.00000001.01000000.00000003.sdmp |
Source: |
Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty-agent.pdb source: wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001A11000.00000040.00000001.01000000.00000003.sdmp, wSIWW3vyrB.exe, 00000000.00000002.3400189770.0000000001AC3000.00000040.00000001.01000000.00000003.sdmp |
Source: |
Binary string: 4--E.pdb source: wSIWW3vyrB.exe |
Source: wSIWW3vyrB.exe |
Static PE information: section name: UPX2 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Process created: C:\Windows\System32\whoami.exe whoami |
|
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Process created: C:\Windows\System32\whoami.exe whoami |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\whoami.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\whoami.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
System information queried: CurrentTimeZoneInformation |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: wSIWW3vyrB.exe, 00000000.00000002.3404630766.000001BA9A02C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Windows\System32\whoami.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\wSIWW3vyrB.exe |
Process created: C:\Windows\System32\whoami.exe whoami |
Jump to behavior |
Source: Yara match |
File source: Process Memory Space: wSIWW3vyrB.exe PID: 5956, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: wSIWW3vyrB.exe PID: 5956, type: MEMORYSTR |