Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
Analysis ID:	1527906
MD5:	eaf75c53fccbbb7bb45e96fe3c642cfc
SHA1:	89741ce1b3f522d995ea1e311b758e09384ae4f6
SHA256:	9f12616bd66ff80dfbed9355844515746b0371e075616ccb7b8f776584e02e05
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Uses bcdedit to modify the Windows boot settings

Abnormal high CPU Usage

Creates a process in suspended mode (likely to inject code)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: New Kernel Driver Via SC.EXE

Sigma detected: Suspicious Copy From or To System Directory

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe" MD5: EAF75C53FCCBBB7BB45E96FE3C642CFC)

conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5480 cmdline: C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

bcdedit.exe (PID: 2860 cmdline: bcdedit /set hypervisorlaunchtype off MD5: 74F7B84B0A547592CA63A00A8C4AD583)

cmd.exe (PID: 4928 cmdline: C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f > NUL MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

reg.exe (PID: 4900 cmdline: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 2476 cmdline: C:\Windows\system32\cmd.exe /c copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71KernelMode.sys" "C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 6024 cmdline: C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5224 cmdline: sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 7116 cmdline: C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys>NUL MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3140 cmdline: sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 4428 cmdline: C:\Windows\system32\cmd.exe /c sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S>NUL MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6744 cmdline: sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cleanup

Sigma Signatures

Sigma detected: New Kernel Driver Via SC.EXE

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" , CommandLine: sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6024, ParentProcessName: cmd.exe, ProcessCommandLine: sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" , ProcessId: 5224, ProcessName: sc.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71KernelMode.sys" "C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL, CommandLine: C:\Windows\system32\cmd.exe /c copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71KernelMode.sys" "C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe, ParentProcessId: 6984, ParentProcessName: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71KernelMode.sys" "C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL, ProcessId: 2476, ProcessName: cmd.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" , CommandLine: sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6024, ParentProcessName: cmd.exe, ProcessCommandLine: sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" , ProcessId: 5224, ProcessName: sc.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.3% probability

Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: jC:\Users\Sleepy\Documents\coding\Roblox\registry-callbacks-master\UserMode\.pdb?? source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
Source:	Binary string: C:\Users\Sleepy\Documents\coding\Roblox\registry-callbacks-master\UserMode\.pdb source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	String found in binary or memory: https://www.dearimgui.com/faq/
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	String found in binary or memory: https://www.dearimgui.com/faq/Set

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f

Source: classification engine

Classification label: mal56.winEXE@24/7@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03

Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set hypervisorlaunchtype off
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f > NUL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71KernelMode.sys" "C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys>NUL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S>NUL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f > NUL	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71KernelMode.sys" "C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys>NUL	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S>NUL	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set hypervisorlaunchtype off	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\bcdedit.exe	Section loaded: cryptsp.dll	Jump to behavior

Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: jC:\Users\Sleepy\Documents\coding\Roblox\registry-callbacks-master\UserMode\.pdb?? source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
Source:	Binary string: C:\Users\Sleepy\Documents\coding\Roblox\registry-callbacks-master\UserMode\.pdb source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Uses bcdedit to modify the Windows boot settings

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set hypervisorlaunchtype off
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set hypervisorlaunchtype off	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Window / User API: threadDelayed 3048	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Window / User API: threadDelayed 509	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Window / User API: foregroundWindowGot 762	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Window / User API: foregroundWindowGot 757	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe TID: 7124

Thread sleep time: -30480s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f > NUL	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71KernelMode.sys" "C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys>NUL	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S>NUL	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\bcdedit.exe bcdedit /set hypervisorlaunchtype off	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Service Execution	1 Windows Service	1 Windows Service	1 Modify Registry	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	1 Inhibit System Recovery
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	18%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.dearimgui.com/faq/Set	SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	false		unknown
https://www.dearimgui.com/faq/	SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527906
Start date and time:	2024-10-07 11:36:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
Detection:	MAL
Classification:	mal56.winEXE@24/7@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Simulations

Behavior and APIs

Time	Type	Description
05:37:50	API Interceptor	568853x Sleep call for process: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe modified

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	445
Entropy (8bit):	5.309953850681003
Encrypted:	false
SSDEEP:	6:h1wv2sHU6BX38q1f+bqtHGwv2sHU6/f59e7uW/yT5oJ6JAYj0cMDtAMvgLkBwfM7:hmRhx5+bOR/R9cZfiAYj7Mv+fM2AF6w
MD5:	8131525E40B4C23E2308000C3CE05A4C
SHA1:	B47E7801A29420EEB77A639D20817093DA3E233D
SHA-256:	FB91D84AEA6AE64A3DE0DD171802EC06E6A1C60817EE408EA2FFEF21F02BFB0F
SHA-512:	176743BFE0991E03788A993E89734EC50EA436262A7A30AE0D6E37F1D157BD6097A170CD75A6F4C36D3A02D0DEEC956B7B4035E5A410FF70A7C22FFCAF17ADE1
Malicious:	false
Preview:	Path C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe..Registry value VulnerableDriverBlocklistEnable set to 0...Current directory under C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71..Driver C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys....[*] pinkel_tinkler by emlinhax..[!] could not find your driver...[Kernel driver not loaded]..[Info] Press VK_Home to unload...[Status] Running!..

\Device\Null

Download File

Process:	C:\Windows\System32\sc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.662591170919944
Encrypted:	false
SSDEEP:	3:OEAAKzgbzUWnRthLK5a6eCMABf:O5DePRoJPP
MD5:	51F0894392FBB61AD37D41C273902DF6
SHA1:	9AE239218209C65D125C098F5BE32B8943B1AB76
SHA-256:	43220363A318385B6C870AF82B163098813EB92E9A44D95FDDCF20D0B848FB2C
SHA-512:	6CEF129C13044E41AFEC7247A5AE8A1EBE7BC5150A8E48AF842BDAE8C7208C4E882E41F71884351464901D7322498B244BE5B921B4F0E3D929EDFC5A1845DE95
Malicious:	false
Preview:	[SC] StartService FAILED 2:....The system cannot find the file specified.....

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.614237660035011
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
File size:	688'640 bytes
MD5:	eaf75c53fccbbb7bb45e96fe3c642cfc
SHA1:	89741ce1b3f522d995ea1e311b758e09384ae4f6
SHA256:	9f12616bd66ff80dfbed9355844515746b0371e075616ccb7b8f776584e02e05
SHA512:	b4a6c521f33cba2d55248fd793fa248f0220e46836709c1e3ceca2d7d5d54d0757b722baa60147fa25bcc6472846597447ef0609f15004476913d887445796ed
SSDEEP:	12288:2dxHR0k2s1Qu/9NHUT4OWc0w0T9DiCE+RBOSSjDMcH3/Lrbny0xT0GRiLq+jm5vg:Sx0kJ1QYmWDwa0CRBOSSjDT3/Lrbnhxx
TLSH:	DFE4A052B2B440F9D067B039B0DA770BEB3178580321D6D727D856693F923F16ABB722
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............~K..~K..~K...K..~K...J..~K..{J..~K..zJ..~K..}J..~K...J..~K...K..~K..wJ..~K...K..~K..\|J..~KRich..~K................PE..d..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14006d3c4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66771A92 [Sat Jun 22 18:40:18 2024 UTC]
TLS Callbacks:	0x4006d07c, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	69722309cfb80c4be496b27b24e06a25

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F25D4DAF714h
dec eax
add esp, 28h
jmp 00007F25D4DAF167h
int3
int3
and dword ptr [00037951h], 00000000h
ret
dec eax
mov dword ptr [esp+08h], ebx
push ebp
dec eax
lea ebp, dword ptr [esp-000004C0h]
dec eax
sub esp, 000005C0h
mov ebx, ecx
mov ecx, 00000017h
call dword ptr [00003D66h]
test eax, eax
je 00007F25D4DAF2F6h
mov ecx, ebx
int 29h
mov ecx, 00000003h
call 00007F25D4DAF2B9h
xor edx, edx
dec eax
lea ecx, dword ptr [ebp-10h]
inc ecx
mov eax, 000004D0h
call 00007F25D4DAFF75h
dec eax
lea ecx, dword ptr [ebp-10h]
call dword ptr [00003DD1h]
dec eax
mov ebx, dword ptr [ebp+000000E8h]
dec eax
lea edx, dword ptr [ebp+000004D8h]
dec eax
mov ecx, ebx
inc ebp
xor eax, eax
call dword ptr [00003D4Fh]
dec eax
test eax, eax
je 00007F25D4DAF32Eh
dec eax
and dword ptr [esp+38h], 00000000h
dec eax
lea ecx, dword ptr [ebp+000004E0h]
dec eax
mov edx, dword ptr [ebp+000004D8h]
dec esp
mov ecx, eax
dec eax
mov dword ptr [esp+30h], ecx
dec esp
mov eax, ebx
dec eax
lea ecx, dword ptr [ebp+000004E8h]
dec eax
mov dword ptr [esp+28h], ecx
dec eax
lea ecx, dword ptr [ebp-10h]
dec eax
mov dword ptr [esp+20h], ecx
xor ecx, ecx
call dword ptr [00003D06h]
dec eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa11c4	0x1b8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa7000	0x47b8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xad000	0x47c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x979e0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x97c00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x97a50	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x71000	0x958	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6f593	0x6f600	3f76d97b6f697fc1fc2f6bee9026fff7	False	0.5246124438832772	data	6.4767559577071685	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x71000	0x32eaa	0x33000	37dc466519efc5ec35d8bae47fd1e53e	False	0.3777908624387255	data	5.823076068710632	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa4000	0x2508	0x800	50734c2062982f28f1322c95429af3ed	False	0.2470703125	data	3.9423627078888543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xa7000	0x47b8	0x4800	d9a555e9dc8bd0fcd43daa9c3a3281bf	False	0.4684787326388889	data	5.841821730276356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x1e8	0x200	708fe13d40a54950affd43033ce48eb1	False	0.54296875	data	4.762595083624659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xad000	0x47c	0x600	3081672db8e8185b353067a3a1cab183	False	0.4205729166666667	data	4.576470345338892	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xac060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	Process32NextW, CreateFileA, DeleteFileW, Process32FirstW, CloseHandle, GetModuleHandleW, GetConsoleWindow, GetLastError, GetFileInformationByHandleEx, AreFileApisANSI, GetFileAttributesExW, FindNextFileW, CreateToolhelp32Snapshot, FindClose, CreateFileW, FormatMessageA, LocalFree, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, IsDebuggerPresent, CreateEventW, WaitForSingleObjectEx, ResetEvent, SetEvent, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, GetCurrentDirectoryA, DeviceIoControl, QueryPerformanceCounter, FreeLibrary, VerSetConditionMask, GetProcAddress, QueryPerformanceFrequency, LoadLibraryA, GetLocaleInfoA, GetModuleHandleA, GlobalUnlock, WideCharToMultiByte, RtlCaptureContext, GetFileAttributesA, GlobalLock, GlobalFree, GlobalAlloc, FindFirstFileExW, MultiByteToWideChar
USER32.dll	FindWindowA, PeekMessageW, GetMonitorInfoW, GetKeyboardLayout, DefWindowProcW, GetWindowRect, SetWindowDisplayAffinity, MoveWindow, SetLayeredWindowAttributes, TranslateMessage, LoadIconW, SetWindowLongW, PostQuitMessage, GetDesktopWindow, UpdateWindow, SendInput, GetKeyState, GetMessageExtraInfo, MonitorFromWindow, DestroyWindow, ScreenToClient, GetAsyncKeyState, GetCapture, ClientToScreen, SetClipboardData, CreateWindowExW, GetClipboardData, EmptyClipboard, CloseClipboard, OpenClipboard, GetSystemMetrics, GetCursorPos, UnregisterClassW, SetCursorPos, ReleaseCapture, TrackMouseEvent, RegisterClassExW, ShowWindow, IsWindowUnicode, SetProcessDPIAware, GetClientRect, SetCursor, SetCapture, LoadCursorW, GetForegroundWindow, DispatchMessageW
GDI32.dll	CreateSolidBrush
ADVAPI32.dll	RegOpenKeyExW, RegSetValueExW, RegSetValueExA, RegCloseKey, RegOpenKeyExA
SHELL32.dll	SHGetFolderPathW
IMM32.dll	ImmSetCompositionWindow, ImmGetContext, ImmSetCandidateWindow, ImmReleaseContext
D3DCOMPILER_47.dll	D3DCompile
dwmapi.dll	DwmExtendFrameIntoClientArea
MSVCP140.dll	?always_noconv@codecvt_base@std@@QEBA_NXZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?_Xout_of_range@std@@YAXPEBD@Z, ?_Xlength_error@std@@YAXPEBD@Z, _Xtime_get_ticks, ??Bid@locale@std@@QEAA_KXZ, _Query_perf_frequency, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exceptions@std@@YAHXZ, ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A, ?wcerr@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A, ?_Random_device@std@@YAIXZ, _Cnd_do_broadcast_at_thread_exit, _Thrd_sleep, _Query_perf_counter, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z, ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, _Thrd_id, _Thrd_join, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z, ?_Winerror_map@std@@YAHH@Z, ?_Throw_C_error@std@@YAXH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?_Syserror_map@std@@YAPEBDH@Z, _Thrd_detach, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z
d3d11.dll	D3D11CreateDeviceAndSwapChain
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	memchr, __std_terminate, memcmp, memcpy, memmove, strstr, __std_exception_destroy, __std_exception_copy, __C_specific_handler, _CxxThrowException, memset, __current_exception_context, __current_exception
api-ms-win-crt-stdio-l1-1-0.dll	ungetc, setvbuf, fgetpos, fgetc, fputc, fsetpos, _get_stream_buffer_pointers, __acrt_iob_func, __p__commode, fclose, ftell, fflush, _fseeki64, fseek, __stdio_common_vfprintf, fwrite, _wfopen, __stdio_common_vsprintf, __stdio_common_vsscanf, fread, _set_fmode
api-ms-win-crt-utility-l1-1-0.dll	rand, qsort
api-ms-win-crt-string-l1-1-0.dll	strncpy, strncmp, strcmp
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, _set_new_mode, free, malloc
api-ms-win-crt-convert-l1-1-0.dll	atof, strtoull
api-ms-win-crt-runtime-l1-1-0.dll	exit, _beginthreadex, system, _register_thread_local_exe_atexit_callback, _c_exit, __p___argv, __p___argc, terminate, _exit, _initterm_e, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _invalid_parameter_noinfo_noreturn
api-ms-win-crt-filesystem-l1-1-0.dll	_lock_file, _unlock_file
api-ms-win-crt-math-l1-1-0.dll	pow, acosf, sinf, atan2f, sqrt, cosf, ceilf, fmodf, sqrtf, powf, __setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale, ___lc_codepage_func

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	05:37:00
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe"
Imagebase:	0x7ff69cee0000
File size:	688'640 bytes
MD5 hash:	EAF75C53FCCBBB7BB45E96FE3C642CFC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:37:00
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:37:00
Start date:	07/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c bcdedit /set hypervisorlaunchtype off >NUL
Imagebase:	0x7ff6f2390000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:37:00
Start date:	07/10/2024
Path:	C:\Windows\System32\bcdedit.exe
Wow64 process (32bit):	false
Commandline:	bcdedit /set hypervisorlaunchtype off
Imagebase:	0x7ff6690d0000
File size:	491'864 bytes
MD5 hash:	74F7B84B0A547592CA63A00A8C4AD583
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:37:00
Start date:	07/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f > NUL
Imagebase:	0x7ff6f2390000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:37:00
Start date:	07/10/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ValidateAdminCodeSignatures /t REG_DWORD /d 0 /f
Imagebase:	0x7ff6a4da0000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:37:01
Start date:	07/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c copy "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.602488.71KernelMode.sys" "C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL
Imagebase:	0x7ff6f2390000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:37:01
Start date:	07/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys" > NUL
Imagebase:	0x7ff6f2390000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:37:01
Start date:	07/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binPath="C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys"
Imagebase:	0x7ff7f7bb0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:37:01
Start date:	07/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys>NUL
Imagebase:	0x7ff6f2390000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:37:01
Start date:	07/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc create sPdzrFj5MyJVEO29Rs0hjwD7Npia8S type=kernel binpath=C:\Windows\System32\drivers\sPdzrFj5MyJVEO29Rs0hjwD7Npia8S.sys
Imagebase:	0x7ff7f7bb0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:37:01
Start date:	07/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S>NUL
Imagebase:	0x7ff6f2390000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:37:01
Start date:	07/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc start sPdzrFj5MyJVEO29Rs0hjwD7Npia8S
Imagebase:	0x7ff7f7bb0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.This may deny access to available backups and recovery options.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Deletion, Command: Command Execution, File: File Deletion, Process: Process Creation, Service: Service Metadata, Snapshot: Snapshot Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exePID: 6984, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 7012, Parent PID: 6984

General

Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.602488.7106.22030.exe