Windows Analysis Report
RUN.exe

Overview

General Information

Sample name: RUN.exe
Analysis ID: 1530965
MD5: 80fb69110342f1a031b10484ea356055
SHA1: 70a77fd61066eaf936feec994301f1c3693c7a28
SHA256: 7c2f43b18bb5f18cb9b8967323a3c68befff6fbf8dceae39f786e8152f493a65
Tags: exeuser-accbarmailch
Infos:

Detection

CredGrabber, Meduza Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Self deletion via cmd or bat file
Sigma detected: Suspicious Ping/Del Command Combination
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\a.exe:extractor.dll Avira: detection malicious, Label: HEUR/AGEN.1354117
Found malware configuration
Source: 1.2.RUN.exe.140000000.0.unpack Malware Configuration Extractor: Meduza Stealer {"C2 url": "109.107.181.162", "anti_vm": true, "anti_dbg": true, "port": 15666, "build_name": "28", "self_destruct": true, "extensions": "none", "links": "none", "grabber_max_size": 1048576}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\a.exe:extractor.dll ReversingLabs: Detection: 41%
Multi AV Scanner detection for submitted file
Source: RUN.exe ReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\a.exe:extractor.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: RUN.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140070410 CryptUnprotectData,LocalFree, 1_2_0000000140070410
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140035BD0 CryptUnprotectData,LocalFree, 1_2_0000000140035BD0
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: RUN.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400B93CC FindClose,FindFirstFileExW,GetLastError,GetCurrentDirectoryW,GetLastError, 1_2_00000001400B93CC
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400B947C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,GetFileAttributesW,__std_fs_open_handle,CloseHandle, 1_2_00000001400B947C
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140034D60 FindFirstFileW,FindNextFileW, 1_2_0000000140034D60
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400D40D8 FindFirstFileW,FindNextFileW, 1_2_00000001400D40D8
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140088D70 GetLogicalDriveStringsW, 1_2_0000000140088D70
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then sub rsp, 28h 0_2_00007FF66B15DC50
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rsi 0_2_00007FF66B159CD0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 0_2_00007FF66B15ACD0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 0_2_00007FF66B15ACD0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 0_2_00007FF66B15ACD0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rsi 0_2_00007FF66B151D20
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then cmp rdx, 01h 0_2_00007FF66B14FBE0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rsi 0_2_00007FF66B1520B0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rbx 0_2_00007FF66B13AF33
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then sub rsp, 28h 0_2_00007FF66B15DD49
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rbp 0_2_00007FF66B14AE30
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rbp 0_2_00007FF66B14B470
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push r15 0_2_00007FF66B14929E
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 0_2_00007FF66B15A1B0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 0_2_00007FF66B15A1B0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 0_2_00007FF66B15A1B0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rbx 0_2_00007FF66B15B8C0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then sub rsp, 28h 1_2_00007FF66B15DC50
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rsi 1_2_00007FF66B159CD0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 1_2_00007FF66B15ACD0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 1_2_00007FF66B15ACD0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 1_2_00007FF66B15ACD0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rsi 1_2_00007FF66B151D20
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then cmp rdx, 01h 1_2_00007FF66B14FBE0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rsi 1_2_00007FF66B1520B0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rbx 1_2_00007FF66B13AF33
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then sub rsp, 28h 1_2_00007FF66B15DD49
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rbp 1_2_00007FF66B14AE30
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rbp 1_2_00007FF66B14B470
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push r15 1_2_00007FF66B14929E
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 1_2_00007FF66B15A1B0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 1_2_00007FF66B15A1B0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rdi 1_2_00007FF66B15A1B0
Source: C:\Users\user\Desktop\RUN.exe Code function: 4x nop then push rbx 1_2_00007FF66B15B8C0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.5:49704 -> 109.107.181.162:15666
Source: Network traffic Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.5:49704 -> 109.107.181.162:15666
Source: Network traffic Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.5:49704 -> 109.107.181.162:15666
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 109.107.181.162:15666
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEPORT-TV-ASRU TELEPORT-TV-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.181.162
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140070830 Concurrency::cancel_current_task,InternetOpenW,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 1_2_0000000140070830
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: RUN.exe, 00000001.00000002.2204235009.0000024213203000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micros
Source: RUN.exe, 00000001.00000003.2202423492.00000242158E0000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2202472603.00000242158E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.microsoft.t/Regi
Source: RUN.exe, 00000001.00000003.2036391573.00000242158D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.microsoft.t/Regi)F
Source: RUN.exe, 00000001.00000003.2038501883.0000024215C37000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038891640.00000242131D5000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2040061170.00000242131D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RUN.exe, 00000001.00000002.2204235009.0000024213155000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000002.2204235009.0000024213137000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: RUN.exe, 00000001.00000003.2066148254.00000242131DB000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D3000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: RUN.exe, 00000001.00000003.2066148254.00000242131DB000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D3000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: RUN.exe, 00000001.00000003.2038501883.0000024215C37000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038891640.00000242131D5000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2040061170.00000242131D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RUN.exe, 00000001.00000003.2038501883.0000024215C37000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038891640.00000242131D5000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2040061170.00000242131D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RUN.exe, 00000001.00000003.2038501883.0000024215C37000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038891640.00000242131D5000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2040061170.00000242131D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RUN.exe, 00000001.00000003.2066148254.00000242131DB000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D3000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RUN.exe, 00000001.00000003.2066148254.00000242131DB000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D3000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: RUN.exe, 00000001.00000003.2038501883.0000024215C37000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038891640.00000242131D5000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038501883.0000024215C1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RUN.exe, 00000001.00000003.2038501883.0000024215C37000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2039601750.0000024215C1F000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038891640.00000242131D5000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038501883.0000024215C1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RUN.exe, 00000001.00000003.2038501883.0000024215C37000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038891640.00000242131D5000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038501883.0000024215C1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RUN.exe String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: RUN.exe, 00000001.00000003.2066036652.00000242131D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: RUN.exe, 00000001.00000003.2061516063.0000024215FA8000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2059602201.0000024215D4F000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2057905457.0000024214F38000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2059856665.0000024214F30000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2059602201.0000024215D47000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2058084500.0000024215D12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: RUN.exe, 00000001.00000003.2059602201.0000024215D57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: RUN.exe, 00000001.00000003.2059602201.0000024215D57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: RUN.exe, 00000001.00000003.2066148254.00000242131DB000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D3000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: RUN.exe, 00000001.00000003.2066148254.00000242131DB000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D3000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2066036652.00000242131D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: RUN.exe, 00000001.00000003.2038501883.0000024215C37000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038891640.00000242131D5000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2040061170.00000242131D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: RUN.exe, 00000001.00000003.2038501883.0000024215C37000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2038891640.00000242131D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RUN.exe, 00000001.00000003.2061516063.0000024215FA8000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2059602201.0000024215D4F000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2057905457.0000024214F38000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2059856665.0000024214F30000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2059602201.0000024215D47000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2058084500.0000024215D12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: RUN.exe, 00000001.00000003.2059602201.0000024215D57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: RUN.exe, 00000001.00000003.2059602201.0000024215D57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: RUN.exe, 00000001.00000003.2057905457.0000024214F3F000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2061516063.0000024215FAF000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2059602201.0000024215D57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RUN.exe, 00000001.00000003.2059602201.0000024215D57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RUN.exe, 00000001.00000003.2057905457.0000024214F3F000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2061516063.0000024215FAF000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2059602201.0000024215D57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: RUN.exe, 00000001.00000003.2057905457.0000024214F3F000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2061516063.0000024215FAF000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2059602201.0000024215D57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2
Contains functionality to call native functions
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B1216A0 memcpy,strlen,strcpy_s,WideCharToMultiByte,strcpy_s,strcpy_s,strcpy_s,_strlwr,_strlwr,strstr,strcmp,CreateFileA,WideCharToMultiByte,strcpy_s,strcpy_s,strcpy_s,_strlwr,_strlwr,strstr,strcmp,NtWriteFile,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,NtClose,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LdrLoadDll,strcmp,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,NtProtectVirtualMemory,remove,FreeLibrary,free,memcpy,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,strcmp,NtProtectVirtualMemory,strcmp,NtProtectVirtualMemory,strcmp,NtProtectVirtualMemory,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,exit, 0_2_00007FF66B1216A0
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B123590 strcmp,strcmp,NtQueryInformationProcess, 0_2_00007FF66B123590
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B1225D1 strcmp,NtProtectVirtualMemory,strcmp,NtProtectVirtualMemory,strcmp,NtProtectVirtualMemory,strcmp,strcmp, 0_2_00007FF66B1225D1
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400D46C0 NtQuerySystemInformation, 1_2_00000001400D46C0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014008B700 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle, 1_2_000000014008B700
Detected potential crypto function
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B1216A0 0_2_00007FF66B1216A0
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B143CF0 0_2_00007FF66B143CF0
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B156C30 0_2_00007FF66B156C30
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B13FB30 0_2_00007FF66B13FB30
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B135F60 0_2_00007FF66B135F60
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B126E80 0_2_00007FF66B126E80
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B15BD80 0_2_00007FF66B15BD80
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B14B470 0_2_00007FF66B14B470
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B13E450 0_2_00007FF66B13E450
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B1237A0 0_2_00007FF66B1237A0
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B1276D0 0_2_00007FF66B1276D0
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B142710 0_2_00007FF66B142710
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B14D5F0 0_2_00007FF66B14D5F0
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B1295D0 0_2_00007FF66B1295D0
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF8A8E12CF0 0_2_00007FF8A8E12CF0
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF8A8E03C10 0_2_00007FF8A8E03C10
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF8A8E1AED0 0_2_00007FF8A8E1AED0
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF8A8E200BA 0_2_00007FF8A8E200BA
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF8A8E1F190 0_2_00007FF8A8E1F190
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF8A8E06360 0_2_00007FF8A8E06360
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF8A8E04460 0_2_00007FF8A8E04460
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF8A8E1C5B0 0_2_00007FF8A8E1C5B0
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF8A8E20750 0_2_00007FF8A8E20750
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140042000 1_2_0000000140042000
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014003787D 1_2_000000014003787D
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014005A150 1_2_000000014005A150
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140080220 1_2_0000000140080220
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140080A20 1_2_0000000140080A20
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014005FB20 1_2_000000014005FB20
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014003CC00 1_2_000000014003CC00
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014002F420 1_2_000000014002F420
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400B947C 1_2_00000001400B947C
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014003B4B0 1_2_000000014003B4B0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400A44E8 1_2_00000001400A44E8
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140031D30 1_2_0000000140031D30
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014002ED30 1_2_000000014002ED30
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140034D60 1_2_0000000140034D60
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014005ED70 1_2_000000014005ED70
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140081600 1_2_0000000140081600
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014008FED0 1_2_000000014008FED0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140081FA0 1_2_0000000140081FA0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014005C7C0 1_2_000000014005C7C0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014006B860 1_2_000000014006B860
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140067880 1_2_0000000140067880
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014006E0E0 1_2_000000014006E0E0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400158E0 1_2_00000001400158E0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400070E0 1_2_00000001400070E0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140063140 1_2_0000000140063140
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400BC170 1_2_00000001400BC170
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140053180 1_2_0000000140053180
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140006180 1_2_0000000140006180
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014006E9BA 1_2_000000014006E9BA
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014006C1D0 1_2_000000014006C1D0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400561E0 1_2_00000001400561E0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400BE9F0 1_2_00000001400BE9F0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140028200 1_2_0000000140028200
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014006B230 1_2_000000014006B230
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014002FA50 1_2_000000014002FA50
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014006DAB0 1_2_000000014006DAB0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014009FAF8 1_2_000000014009FAF8
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140026340 1_2_0000000140026340
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140025350 1_2_0000000140025350
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014006BB80 1_2_000000014006BB80
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014004C3A0 1_2_000000014004C3A0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400A63BC 1_2_00000001400A63BC
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014004ABD0 1_2_000000014004ABD0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014006E520 1_2_000000014006E520
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140006D20 1_2_0000000140006D20
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014006B530 1_2_000000014006B530
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140059550 1_2_0000000140059550
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014008F5A0 1_2_000000014008F5A0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140005DB0 1_2_0000000140005DB0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140006610 1_2_0000000140006610
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140035E20 1_2_0000000140035E20
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014002FE96 1_2_000000014002FE96
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014006BEA0 1_2_000000014006BEA0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014004DEA0 1_2_000000014004DEA0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B143CF0 1_2_00007FF66B143CF0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B156C30 1_2_00007FF66B156C30
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B13FB30 1_2_00007FF66B13FB30
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B135F60 1_2_00007FF66B135F60
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B126E80 1_2_00007FF66B126E80
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B15BD80 1_2_00007FF66B15BD80
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B14B470 1_2_00007FF66B14B470
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B13E450 1_2_00007FF66B13E450
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B1237A0 1_2_00007FF66B1237A0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B1216A0 1_2_00007FF66B1216A0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B1276D0 1_2_00007FF66B1276D0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B142710 1_2_00007FF66B142710
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B14D5F0 1_2_00007FF66B14D5F0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B1295D0 1_2_00007FF66B1295D0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\RUN.exe Code function: String function: 000000014002FE70 appears 34 times
Source: C:\Users\user\Desktop\RUN.exe Code function: String function: 00000001400348F0 appears 41 times
Source: C:\Users\user\Desktop\RUN.exe Code function: String function: 00007FF66B15D580 appears 84 times
Source: C:\Users\user\Desktop\RUN.exe Code function: String function: 00007FF66B15BC90 appears 52 times
Source: C:\Users\user\Desktop\RUN.exe Code function: String function: 00007FF66B15D670 appears 376 times
Source: C:\Users\user\Desktop\RUN.exe Code function: String function: 00007FF66B15D710 appears 168 times
PE file contains more sections than normal
Source: a.exe_extractor.dll.0.dr Static PE information: Number of sections : 11 > 10
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/2
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014003B4B0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 1_2_000000014003B4B0
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_000000014006DAB0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString,SysStringByteLen,SysFreeString,SysFreeString, 1_2_000000014006DAB0
Source: C:\Users\user\Desktop\RUN.exe File created: C:\Users\user\Desktop\a.exe:extractor.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E69638AD8C25F
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: RUN.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RUN.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RUN.exe ReversingLabs: Detection: 65%
Source: RUN.exe String found in binary or memory: --help
Source: RUN.exe String found in binary or memory: --help
Source: unknown Process created: C:\Users\user\Desktop\RUN.exe "C:\Users\user\Desktop\RUN.exe"
Source: C:\Users\user\Desktop\RUN.exe Process created: C:\Users\user\Desktop\RUN.exe "C:\Users\user\Desktop\RUN.exe"
Source: C:\Users\user\Desktop\RUN.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\RUN.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\Desktop\RUN.exe Process created: C:\Users\user\Desktop\RUN.exe "C:\Users\user\Desktop\RUN.exe" Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\RUN.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: a.exe:extractor.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: RUN.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: RUN.exe Static file information: File size 1549312 > 1048576
Source: RUN.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x136400
Source: RUN.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B1216A0 memcpy,strlen,strcpy_s,WideCharToMultiByte,strcpy_s,strcpy_s,strcpy_s,_strlwr,_strlwr,strstr,strcmp,CreateFileA,WideCharToMultiByte,strcpy_s,strcpy_s,strcpy_s,_strlwr,_strlwr,strstr,strcmp,NtWriteFile,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,NtClose,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LdrLoadDll,strcmp,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,NtProtectVirtualMemory,remove,FreeLibrary,free,memcpy,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,strcmp,NtProtectVirtualMemory,strcmp,NtProtectVirtualMemory,strcmp,NtProtectVirtualMemory,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,exit, 0_2_00007FF66B1216A0
PE file contains sections with non-standard names
Source: RUN.exe Static PE information: section name: .xdata
Source: a.exe_extractor.dll.0.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B2991B0 push 01130064h; iretd 0_2_00007FF66B2991BA
Drops PE files
Source: C:\Users\user\Desktop\RUN.exe File created: C:\Users\user\Desktop\a.exe:extractor.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Creates files in alternative data streams (ADS)
Source: C:\Users\user\Desktop\RUN.exe File created: C:\Users\user\Desktop\a.exe:extractor.dll Jump to behavior
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\RUN.exe Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\RUN.exe"
Source: C:\Users\user\Desktop\RUN.exe Process created: "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\RUN.exe" Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\RUN.exe API coverage: 7.7 %
Source: C:\Users\user\Desktop\RUN.exe API coverage: 4.3 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400B93CC FindClose,FindFirstFileExW,GetLastError,GetCurrentDirectoryW,GetLastError, 1_2_00000001400B93CC
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400B947C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,GetFileAttributesW,__std_fs_open_handle,CloseHandle, 1_2_00000001400B947C
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140034D60 FindFirstFileW,FindNextFileW, 1_2_0000000140034D60
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400D40D8 FindFirstFileW,FindNextFileW, 1_2_00000001400D40D8
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140088D70 GetLogicalDriveStringsW, 1_2_0000000140088D70
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400D4118 CloseHandle,GetSystemInfo,ReleaseMutex,OpenMutexA,GetModuleFileNameA,SetHandleInformation, 1_2_00000001400D4118
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RUN.exe, 00000001.00000002.2204235009.00000242131D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RUN.exe, 00000001.00000002.2204235009.00000242131B4000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000002.2204235009.0000024213155000.00000004.00000020.00020000.00000000.sdmp, RUN.exe, 00000001.00000003.2037368275.00000242131CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RUN.exe, 00000001.00000003.2050865815.0000024215C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\RUN.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B1216A0 memcpy,strlen,strcpy_s,WideCharToMultiByte,strcpy_s,strcpy_s,strcpy_s,_strlwr,_strlwr,strstr,strcmp,CreateFileA,WideCharToMultiByte,strcpy_s,strcpy_s,strcpy_s,_strlwr,_strlwr,strstr,strcmp,NtWriteFile,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,NtClose,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LdrLoadDll,strcmp,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,NtProtectVirtualMemory,remove,FreeLibrary,free,memcpy,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,strcmp,NtProtectVirtualMemory,strcmp,NtProtectVirtualMemory,strcmp,NtProtectVirtualMemory,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,exit, 0_2_00007FF66B1216A0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400BB8D4 GetLastError,IsDebuggerPresent,OutputDebugStringW, 1_2_00000001400BB8D4
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400BB8D4 GetLastError,IsDebuggerPresent,OutputDebugStringW, 1_2_00000001400BB8D4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B1216A0 memcpy,strlen,strcpy_s,WideCharToMultiByte,strcpy_s,strcpy_s,strcpy_s,_strlwr,_strlwr,strstr,strcmp,CreateFileA,WideCharToMultiByte,strcpy_s,strcpy_s,strcpy_s,_strlwr,_strlwr,strstr,strcmp,NtWriteFile,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,NtClose,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,LdrLoadDll,strcmp,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,NtProtectVirtualMemory,remove,FreeLibrary,free,memcpy,WideCharToMultiByte,_strlwr,_strlwr,strstr,strcmp,strcmp,NtProtectVirtualMemory,strcmp,NtProtectVirtualMemory,strcmp,NtProtectVirtualMemory,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,exit, 0_2_00007FF66B1216A0
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B121180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA, 0_2_00007FF66B121180
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B29D3B8 SetUnhandledExceptionFilter, 0_2_00007FF66B29D3B8
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B14365A SetUnhandledExceptionFilter, 0_2_00007FF66B14365A
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_0000000140096A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0000000140096A38
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400D42B8 SetUnhandledExceptionFilter, 1_2_00000001400D42B8
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00007FF66B121180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA, 1_2_00007FF66B121180

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF8A8E01690 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleFileNameA,CreateProcessA,FreeLibrary,FreeLibrary,FreeLibrary,VirtualAlloc,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject, 0_2_00007FF8A8E01690
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\RUN.exe Memory written: C:\Users\user\Desktop\RUN.exe base: 140000000 value starts with: 4D5A Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\RUN.exe Thread register set: target process: 5320 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RUN.exe Process created: C:\Users\user\Desktop\RUN.exe "C:\Users\user\Desktop\RUN.exe" Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\Desktop\RUN.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\RUN.exe Code function: 0_2_00007FF66B124B40 cpuid 0_2_00007FF66B124B40
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\RUN.exe Code function: GetLocaleInfoW, 1_2_00000001400A3090
Source: C:\Users\user\Desktop\RUN.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_00000001400AE120
Source: C:\Users\user\Desktop\RUN.exe Code function: EnumSystemLocalesW, 1_2_00000001400ADA38
Source: C:\Users\user\Desktop\RUN.exe Code function: EnumSystemLocalesW, 1_2_00000001400ADB08
Source: C:\Users\user\Desktop\RUN.exe Code function: EnumSystemLocalesW, 1_2_00000001400A2B4C
Source: C:\Users\user\Desktop\RUN.exe Code function: GetLocaleInfoW, 1_2_00000001400D43A0
Source: C:\Users\user\Desktop\RUN.exe Code function: EnumSystemLocalesW, 1_2_00000001400D43B8
Source: C:\Users\user\Desktop\RUN.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 1_2_00000001400AD6EC
Source: C:\Users\user\Desktop\RUN.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_00000001400ADF44
Source: C:\Users\user\Desktop\RUN.exe Code function: GetLocaleInfoEx,FormatMessageA, 1_2_00000001400B8FC4
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RUN.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries time zone information
Source: C:\Users\user\Desktop\RUN.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe Code function: 1_2_00000001400B40E8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00000001400B40E8

Stealing of Sensitive Information
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: RUN.exe PID: 5320, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: 00000001.00000002.2204235009.0000024213155000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RUN.exe PID: 5320, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RUN.exe, 00000001.00000002.2204235009.0000024213155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum-LTC\wallets
Source: RUN.exe, 00000001.00000002.2204235009.0000024213155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectronCash\wallets
Source: RUN.exe, 00000001.00000003.2088276894.0000024217B26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "software": "Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K",
Source: RUN.exe, 00000001.00000002.2204235009.0000024213155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus\exodus.wallet
Source: RUN.exe, 00000001.00000002.2204235009.0000024213155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Source: RUN.exe, 00000001.00000002.2204235009.0000024213155000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\RUN.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\Desktop\RUN.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\RUN.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: RUN.exe PID: 5320, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: 00000001.00000002.2204235009.0000024213155000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RUN.exe PID: 5320, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530965 Sample: RUN.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 26 api.ipify.org 2->26 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Antivirus detection for dropped file 2->40 42 8 other signatures 2->42 9 RUN.exe 1 2->9         started        signatures3 process4 file5 24 C:\Users\user\Desktop\a.exe:extractor.dll, PE32+ 9->24 dropped 44 Creates files in alternative data streams (ADS) 9->44 46 Self deletion via cmd or bat file 9->46 48 Contains functionality to inject code into remote processes 9->48 50 2 other signatures 9->50 13 RUN.exe 7 9->13         started        signatures6 process7 dnsIp8 28 109.107.181.162, 15666, 49704 TELEPORT-TV-ASRU Russian Federation 13->28 30 api.ipify.org 104.26.12.205, 443, 49705 CLOUDFLARENETUS United States 13->30 52 Tries to steal Mail credentials (via file / registry access) 13->52 54 Found many strings related to Crypto-Wallets (likely being stolen) 13->54 56 Self deletion via cmd or bat file 13->56 58 2 other signatures 13->58 17 cmd.exe 1 13->17         started        signatures9 process10 signatures11 32 Uses ping.exe to sleep 17->32 34 Uses ping.exe to check the status of other devices and networks 17->34 20 conhost.exe 17->20         started        22 PING.EXE 1 17->22         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
109.107.181.162
 unknown Russian Federation
49973 TELEPORT-TV-ASRU true

Contacted Domains

Name IP Active
api.ipify.org 104.26.12.205 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown