Windows Analysis Report
Nulzuen.exe

Overview

General Information

Sample name: Nulzuen.exe
Analysis ID: 1532995
MD5: d938c113f658fc52b4c41faadcb47284
SHA1: b57eecf6bb4176275570f20e94b6f0ea60516afa
SHA256: 1761faeed48354d8053f484beba69c9af1eecfc6716219875409586bc12357a0
Tags: exeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Nulzuen.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Zwrgmbkirk.exe Avira: detection malicious, Label: HEUR/AGEN.1310716
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Zwrgmbkirk.exe ReversingLabs: Detection: 57%
Multi AV Scanner detection for submitted file
Source: Nulzuen.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Zwrgmbkirk.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Nulzuen.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Nulzuen.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Nulzuen.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\System.pdb\ source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbguNiE source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb8 source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1360178281.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003A02000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbH6a source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1360178281.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003A02000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdbi source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbdo source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbb source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbRi1 source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbG source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdbb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vlUtil.pdblJX source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb.NETFrameworkv4.0.30319InstallUtil.exe source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdbj source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 4x nop then jmp 058A8F4Eh 0_2_058A9033
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_058C619F
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_058C61A0
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 4x nop then jmp 058C19D0h 0_2_058C1918
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 4x nop then jmp 058C19D0h 0_2_058C1910
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_058C6A08
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0591DAF8
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C47A8 NtResumeThread, 0_2_058C47A8
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C2EB0 NtProtectVirtualMemory, 0_2_058C2EB0
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C47A3 NtResumeThread, 0_2_058C47A3
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C2EA8 NtProtectVirtualMemory, 0_2_058C2EA8
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C4898 NtResumeThread, 0_2_058C4898
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C48DB NtResumeThread, 0_2_058C48DB
Detected potential crypto function
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0277D5AD 0_2_0277D5AD
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_02779278 0_2_02779278
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_02779268 0_2_02779268
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0277D518 0_2_0277D518
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_02779850 0_2_02779850
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_02779846 0_2_02779846
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0583142C 0_2_0583142C
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0583BC33 0_2_0583BC33
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05834100 0_2_05834100
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05830040 0_2_05830040
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05832EE0 0_2_05832EE0
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0583A600 0_2_0583A600
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0583A610 0_2_0583A610
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05834158 0_2_05834158
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05830007 0_2_05830007
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05835361 0_2_05835361
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05835370 0_2_05835370
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058A9996 0_2_058A9996
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058A55D8 0_2_058A55D8
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058AACF8 0_2_058AACF8
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058AD6A0 0_2_058AD6A0
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058A92B8 0_2_058A92B8
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058AA1F2 0_2_058AA1F2
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058A99F7 0_2_058A99F7
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058AA12A 0_2_058AA12A
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058AECA8 0_2_058AECA8
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058AECB8 0_2_058AECB8
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058AD690 0_2_058AD690
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058AA2E0 0_2_058AA2E0
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058AAA6A 0_2_058AAA6A
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058CAE68 0_2_058CAE68
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058CA038 0_2_058CA038
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C0040 0_2_058C0040
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C0007 0_2_058C0007
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C9AE8 0_2_058C9AE8
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05910006 0_2_05910006
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05910040 0_2_05910040
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05935CE0 0_2_05935CE0
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0593C9D0 0_2_0593C9D0
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05934320 0_2_05934320
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05935CD0 0_2_05935CD0
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0593C9C3 0_2_0593C9C3
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_059485A0 0_2_059485A0
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0594D468 0_2_0594D468
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05948BF4 0_2_05948BF4
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0594C270 0_2_0594C270
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0594C597 0_2_0594C597
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05948590 0_2_05948590
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05940011 0_2_05940011
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05949068 0_2_05949068
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_0594522F 0_2_0594522F
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05CBDC88 0_2_05CBDC88
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05CA0040 0_2_05CA0040
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05CBD018 0_2_05CBD018
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_05CA001C 0_2_05CA001C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A75B0 2_2_015A75B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A2F98 2_2_015A2F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A3DB2 2_2_015A3DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A4410 2_2_015A4410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A4420 2_2_015A4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A4F0C 2_2_015A4F0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A6FE7 2_2_015A6FE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A2F87 2_2_015A2F87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A4E58 2_2_015A4E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A4E40 2_2_015A4E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A4E72 2_2_015A4E72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A4ED5 2_2_015A4ED5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A4EF2 2_2_015A4EF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A4E87 2_2_015A4E87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A4EB8 2_2_015A4EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_015A4EA1 2_2_015A4EA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_05A36610 2_2_05A36610
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7828 -s 1156
Sample file is different than original file name gathered from version info
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Nulzuen.exe
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Nulzuen.exe
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBabeoie.exe" vs Nulzuen.exe
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Nulzuen.exe
Source: Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Nulzuen.exe
Source: Nulzuen.exe, 00000000.00000002.1342418283.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Nulzuen.exe
Source: Nulzuen.exe, 00000000.00000002.1360178281.0000000005A60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Nulzuen.exe
Source: Nulzuen.exe, 00000000.00000002.1353281965.0000000003A02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Nulzuen.exe
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBabeoie.exe" vs Nulzuen.exe
Uses 32bit PE files
Source: Nulzuen.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Nulzuen.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Zwrgmbkirk.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Nulzuen.exe, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Nulzuen.exe, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Zwrgmbkirk.exe.0.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Zwrgmbkirk.exe.0.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Nulzuen.exe.3c28fa8.2.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Nulzuen.exe.3c28fa8.2.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, rakZfSotVXyKmO1lGj.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, VsxIl24sP7Y0tFKHGw.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, VsxIl24sP7Y0tFKHGw.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, aheBHS3XyMMU7km6TQw.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, aheBHS3XyMMU7km6TQw.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: classification engine Classification label: mal100.evad.winEXE@4/2@0/0
Source: C:\Users\user\Desktop\Nulzuen.exe File created: C:\Users\user\AppData\Roaming\Zwrgmbkirk.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a0ec0359-5c22-4306-a80c-f33dc30e0356 Jump to behavior
Source: Nulzuen.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Nulzuen.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Nulzuen.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Nulzuen.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\Nulzuen.exe File read: C:\Users\user\Desktop\Nulzuen.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Nulzuen.exe "C:\Users\user\Desktop\Nulzuen.exe"
Source: C:\Users\user\Desktop\Nulzuen.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7828 -s 1156
Source: C:\Users\user\Desktop\Nulzuen.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Nulzuen.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Nulzuen.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Nulzuen.exe Static file information: File size 1374720 > 1048576
Source: Nulzuen.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14f000
Source: Nulzuen.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\System.pdb\ source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbguNiE source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb8 source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1360178281.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003A02000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbH6a source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1360178281.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003A02000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdbi source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbdo source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbb source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbRi1 source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbG source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdbb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vlUtil.pdblJX source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb.NETFrameworkv4.0.30319InstallUtil.exe source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdbj source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, aheBHS3XyMMU7km6TQw.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: Nulzuen.exe, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: Zwrgmbkirk.exe.0.dr, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.Nulzuen.exe.3c28fa8.2.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, rakZfSotVXyKmO1lGj.cs .Net Code: GwkX85cdpcqgYJvA6W7 System.AppDomain.Load(byte[])
Source: 0.2.Nulzuen.exe.57d0000.5.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.Nulzuen.exe.57d0000.5.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.Nulzuen.exe.57d0000.5.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.Nulzuen.exe.57d0000.5.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.Nulzuen.exe.57d0000.5.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.Nulzuen.exe.5950000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1359492116.0000000005950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Nulzuen.exe PID: 7712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7828, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_02770991 push ds; retn 0000h 0_2_02770992
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058ABC9C pushad ; retf 0_2_058ABC9D
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058AC8EB push ebp; ret 0_2_058AC8ED
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C3C9F pushfd ; iretd 0_2_058C3CB1
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C6F8F pushfd ; iretd 0_2_058C6F95
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_058C6000 push 5C058978h; retf 0_2_058C6005
Source: C:\Users\user\Desktop\Nulzuen.exe Code function: 0_2_059431F7 push edx; iretd 0_2_059431F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_05A334D1 pushfd ; retf 2_2_05A334D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 2_2_05A32ABA push edi; retf 2_2_05A32ABB
Source: Nulzuen.exe Static PE information: section name: .text entropy: 7.993309084976368
Source: Zwrgmbkirk.exe.0.dr Static PE information: section name: .text entropy: 7.993309084976368
Source: 0.2.Nulzuen.exe.5180000.4.raw.unpack, CS7iRKjFSCYonXdHIjy.cs High entropy of concatenated method names: 'kGtjxWjhWr', 'iLqWXP5EyYDULZmTcsw', 'k9LbdE5QNOf7J2Qtr0Q', 'ud6r1q5ZUgtqeZklUyw', 'JsG2fg5HJ0r8DT9SNEu', 'zH3ZQk5sETgI5JCx18G', 'BacALZ5hjJImatHKBHs'
Source: 0.2.Nulzuen.exe.5180000.4.raw.unpack, njTXnQcOiYLgE6jbIg9.cs High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'mfwcKgN472', 'NtProtectVirtualMemory', 'pHiGSY74TBGS27pHdss', 'oeOxxM7X8JMDOEvXg1a', 'KmxLVX7RwDcYmo8gREv', 'BvLEri7NFAhrLE5NmLx'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, -Module--854d8771-8713-4a41-bf73-aa5bde6e6cb4-.cs High entropy of concatenated method names: 'kc8d26309dde547208d3ae1a0f4a001b3', 'ReadPublisher', 'QueryPublisher', 'LoginPublisher', 'fKEEgMAnS9A1Kf9NFd4', 'drZ1igAe7dt6doU6ssL', 'I94O8OAgA9si5Hs7xrg', 'kpwlm2ABy041wyL8E95', 'Gx16rxAhr23CbxBSMrO', 'puTkshAa7hQpUQcqkxP'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, rakZfSotVXyKmO1lGj.cs High entropy of concatenated method names: 'Q0Ie62bMK', 'Long7MXDN', 'auUnFICfb', 'CmjBSky92', 'NSxh60KON', 'FD7aURxH6', 'kJD9OCE9S', 'w2gKpMFTH', 'eyJfCrc8UtE5eZAlGf4', 'Ea9RC1cun0n53315nIy'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, VsxIl24sP7Y0tFKHGw.cs High entropy of concatenated method names: 'GtW3K5B1hP', 'zdb3sIHwUo', 'MG3mg0ChmMJWmCAqda1', 'dxqrOsCaHiEBDy7wJB3', 'fqDZFZCgUDd5dfu6Bxf', 'NDjlYQCnLurwWAX8yXQ', 'Av43iQCPQt', 'YPLKYpCVt4VgojLooKo', 'ld2iEVCW5OjAEmEadhr', 'kKpOopCibckNw1SPJc5'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, fCVkBlRTSeQ4a0d1yy7.cs High entropy of concatenated method names: 'mkORd8l9c6', 'kC5Rz2Sdr7', 'ukDcN508MF', 'JnocI38RRl', 'Iqwc3MKYk7', 'A3LcyTDolA', 'b1vcRgs5qB', 'wkmccCXGgx', 'DDScm8aIBO', 'jKMcOXQQ24'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, aheBHS3XyMMU7km6TQw.cs High entropy of concatenated method names: 'fQxrB2AFK7HE36YSUtf', 'oM7ZklAG1ARkoF5h5Oe', 'RsSRVtmfKs', 'lOSdBcA5aQuxlrP2290', 'QFwLcGAZywGGZg7406a', 'IikLCwA6eXAM4aHui11', 'BqWwQ0AbCaiuJRs59wI', 'HAqZRkATCpMXXJbpThU', 'hto1wlAllhxdQbM0uFZ', 'jYOaoUA1fAGEreg2It7'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, wuu546ViriGp2YwY6T.cs High entropy of concatenated method names: 'ITui6cr4D', 'NH603MubP', 'zybQ4JTcc', 'WRJl1Pm2l7EZTbD1BXM', 'SyAxTumDQisAUqE1Mip', 'L5cq3lm73Ui2U1paxyS', 'SlE1PGmUI75gmVTKSyZ', 'PGnOdLm44Algpq26iRt', 'no9nEhmY65DeLOwcHpn', 'y6r0LBmPDhEsV6EpEhR'
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, hUn6J43lq3MZtXkUK87.cs High entropy of concatenated method names: 'skHrM3ZEkJ', 'UitB3DAQOCWtTMPXX8X', 'eDjfYnALZIDSVmIa1uZ', 'V14kOHApdNt12WCvLQL', 'WoacLvAUIoD8jOFXxwU', 'Hc0FaZA4mg9Ag7nPjqH', 'JZK7L5AiOP6EorZObhU', 'l3f04OA0DJAj0gHmIrI', 'QguCJ6A2VUXlJMQPHDH', 'FgdRysADKGpWOo81wDx'
Drops PE files
Source: C:\Users\user\Desktop\Nulzuen.exe File created: C:\Users\user\AppData\Roaming\Zwrgmbkirk.exe Jump to dropped file
Source: C:\Users\user\Desktop\Nulzuen.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Zwrgmbkirk Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Zwrgmbkirk Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Nulzuen.exe PID: 7712, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL@\_Q
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EXPLORERJSBIEDLL.DLLKCUCKOOMON.DLLLWIN32_PROCESS.HANDLE='{0}'MPARENTPROCESSIDNCMDOSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREPVERSIONQSERIALNUMBERSVMWARE|VIRTUAL|A M I|XENTSELECT * FROM WIN32_COMPUTERSYSTEMUMANUFACTURERVMODELWMICROSOFT|VMWARE|VIRTUALXJOHNYANNAZXXXXXXXX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Nulzuen.exe Memory allocated: 2770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Memory allocated: 2900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Memory allocated: 2790000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 1560000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 3170000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 5170000 memory reserve | memory write watch Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Nulzuen.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Nulzuen.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware\V
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $_q 1:en-CH:Microsoft|VMWare|Virtual
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen@\_q
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWareLR_q
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen(__q
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $_q 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorerJSbieDll.dllKcuckoomon.dllLwin32_process.handle='{0}'MParentProcessIdNcmdOselect * from Win32_BIOS8Unexpected WMI query failurePversionQSerialNumberSVMware|VIRTUAL|A M I|XenTselect * from Win32_ComputerSystemUmanufacturerVmodelWMicrosoft|VMWare|VirtualXjohnYannaZxxxxxxxx
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CdHxclW7 pDsOu8 og7DuuEL@\_q0Microsoft|VMWare|V<"
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareLR_qd
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 6WYV8 GEV4RL7OLC@\_q0VMware|VIRTUAL|A M<
Source: C:\Users\user\Desktop\Nulzuen.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Nulzuen.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Nulzuen.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Nulzuen.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 486000 Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 488000 Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1105008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Nulzuen.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Nulzuen.exe Queries volume information: C:\Users\user\Desktop\Nulzuen.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Nulzuen.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532995 Sample: Nulzuen.exe Startdate: 14/10/2024 Architecture: WINDOWS Score: 100 19 Antivirus detection for dropped file 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for dropped file 2->23 25 8 other signatures 2->25 7 Nulzuen.exe 1 4 2->7         started        process3 file4 15 C:\Users\user\AppData\...\Zwrgmbkirk.exe, PE32 7->15 dropped 17 C:\Users\...\Zwrgmbkirk.exe:Zone.Identifier, ASCII 7->17 dropped 27 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->27 29 Writes to foreign memory regions 7->29 31 Injects a PE file into a foreign processes 7->31 11 InstallUtil.exe 2 7->11         started        signatures5 process6 process7 13 WerFault.exe 4 11->13         started       
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0015.t-0009.t-msedge.net 13.107.246.43 true