Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1538238
MD5: 4691c303b4e07b49aa7dea2efec34923
SHA1: 954df91669f2f85b8bd9c9704bb30c2e8bdb0d49
SHA256: e5e38644d06e2d6e6bc230ada2ce73bb7af3c8074d52aa05b677f5845647e92c
Tags: exeuser-Bitsight
Infos:

Detection

Score: 14
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D530D6 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00D530D6
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_e10ea267-1
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wextract.pdb source: file.exe
Source: Binary string: wextract.pdbGCTL source: file.exe
Source: Binary string: stub.pdbGCTL source: gufcrfmk.iiun.0.dr
Source: Binary string: stub.pdb source: gufcrfmk.iiun.0.dr
Source: Binary string: c:\workspace\iojs+release\nodes\win2008r2-release-ia32\Release\node.pdb source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D5249E FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00D5249E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01046920 GetFileAttributesW,_swprintf,FindFirstFileW,_free,GetLastError,FindNextFileW,FindClose,WideCharToMultiByte,_free,_free,GetLastError, 4_2_01046920
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0103C120 uv_udp_recv_start, 4_2_0103C120
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://code.google.com/p/v8/wiki/DebuggerProtocol
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://daniel.haxx.se/blog/2011/02/21/localhost-hack-on-windows/
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://foo.com
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://invisible-island.net/xterm/ctlseqs/ctlseqs.html
Source: ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://mathiasbynens.be/notes/javascript-encoding
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://mths.be/punycode
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://narwhaljs.org)
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://nodejs.org/
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, fopholde.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://pod.tst.eu/http://cvs.schmorp.de/libev/ev.pod#Be_smart_about_timeouts
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488165504.0000000014208000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://stackoverflow.com/a/5501711/3561
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://tools.ietf.org/html/rfc3492#section-3.4
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://wiki.commonjs.org/wiki/Unit_Testing/1.0
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://www.ecma-international.org/publications/standards/Ecma-262.htm)
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr String found in binary or memory: http://www.openssl.org/support/faq.html
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488165504.0000000014208000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: https://codereview.chromium.org/121173009/
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: https://github.com/antirez/linenoise
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: https://github.com/isaacs/readable-stream/issues/16
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: https://github.com/joyent/node/issues/1707
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: https://github.com/joyent/node/issues/1726
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: https://github.com/joyent/node/issues/2631
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr String found in binary or memory: https://groups.google.com/forum/?pli=1#
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr String found in binary or memory: https://www.globalsign.com/repository/03
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01040180 uv_cpu_info,GetSystemInfo,_calloc,NtQuerySystemInformation,RtlNtStatusToDosError,__snwprintf,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,WideCharToMultiByte,WideCharToMultiByte,_free,GetLastError,RegCloseKey,GetLastError,_free,_free,_free, 4_2_01040180
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_010470C0 NtSetInformationFile,RtlNtStatusToDosError, 4_2_010470C0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_010472A0 NtQueryInformationFile,RtlNtStatusToDosError,NtSetInformationFile, 4_2_010472A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01049C30 SetNamedPipeHandleState,GetLastError,SetLastError,NtQueryInformationFile,CreateIoCompletionPort, 4_2_01049C30
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D5209F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00D5209F
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D53D86 0_2_00D53D86
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D538C7 0_2_00D538C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D55F17 0_2_00D55F17
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_00FAF450 4_2_00FAF450
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0103FF30 4_2_0103FF30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0125513D 4_2_0125513D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_00F501D0 4_2_00F501D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_011D00A0 4_2_011D00A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0106B300 4_2_0106B300
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_011CF300 4_2_011CF300
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_010B3240 4_2_010B3240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_011DAAB0 4_2_011DAAB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0111EAC0 4_2_0111EAC0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01123C10 4_2_01123C10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01247C3B 4_2_01247C3B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0103F710 4_2_0103F710
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_011DA7E0 4_2_011DA7E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_00F6B750 4_2_00F6B750
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660EE29 4_2_0660EE29
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660B607 4_2_0660B607
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660BE1F 4_2_0660BE1F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660CF3F 4_2_0660CF3F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660C707 4_2_0660C707
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_066137BB 4_2_066137BB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_06637422 4_2_06637422
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660CCC5 4_2_0660CCC5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660D4DF 4_2_0660D4DF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_06613545 4_2_06613545
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660DD01 4_2_0660DD01
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660E5E6 4_2_0660E5E6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660A5C6 4_2_0660A5C6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660ADDF 4_2_0660ADDF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660D267 4_2_0660D267
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660E2BC 4_2_0660E2BC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660DA82 4_2_0660DA82
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660AB65 4_2_0660AB65
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660C3C9 4_2_0660C3C9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660BBA2 4_2_0660BBA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660EBA7 4_2_0660EBA7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660E866 4_2_0660E866
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660B87F 4_2_0660B87F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660E044 4_2_0660E044
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660A838 4_2_0660A838
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660C147 4_2_0660C147
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660C98D 4_2_0660C98D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_2F813E66 4_2_2F813E66
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_2F8140DC 4_2_2F8140DC
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: String function: 01054B30 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: String function: 01104390 appears 156 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: String function: 01054E90 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: String function: 01054DF0 appears 202 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: String function: 0124062F appears 106 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 3632887 bytes, 7 files, at 0x2c +A "gufcrfmk.iiun" +A "ekkmphakhofgs.iiun", ID 11590, number 1, 230 datablocks, 0x1503 compression
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamenode.exe* vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean14.evad.winEXE@7/8@0/0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D55BD2 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_00D55BD2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D5209F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00D5209F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D55BD2 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_00D55BD2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_00FAF450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, 4_2_00FAF450
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D52E59 memset,memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceA,LoadResource, 0_2_00D52E59
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /d /c bxskiicciwd.bat 342745396
Source: C:\Users\user\Desktop\file.exe Command line argument: Kernel32.dll 0_2_00D52DA4
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /d /c bxskiicciwd.bat 342745396
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe fopholde.exe lfssylb.iiun 342745396
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /d /c bxskiicciwd.bat 342745396 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe fopholde.exe lfssylb.iiun 342745396 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: advpack.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Section loaded: perfos.dll Jump to behavior
Source: file.exe Static file information: File size 3787944 > 1048576
Source: file.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x392600
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wextract.pdb source: file.exe
Source: Binary string: wextract.pdbGCTL source: file.exe
Source: Binary string: stub.pdbGCTL source: gufcrfmk.iiun.0.dr
Source: Binary string: stub.pdb source: gufcrfmk.iiun.0.dr
Source: Binary string: c:\workspace\iojs+release\nodes\win2008r2-release-ia32\Release\node.pdb source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr
Binary contains a suspicious time stamp
Source: file.exe Static PE information: 0xA889EAE7 [Fri Aug 8 23:27:35 2059 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D530D6 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00D530D6
PE file contains an invalid checksum
Source: gufcrfmk.iiun.0.dr Static PE information: real checksum: 0x9edd should be: 0x146df0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D575C1 push ecx; ret 0_2_00D575D4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_010C1180 push ecx; mov dword ptr [esp], ecx 4_2_010C1181
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0124B405 push ecx; ret 4_2_0124B418
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660F751 push ecx; ret 4_2_0660F7AB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660FC20 push ecx; ret 4_2_0660FD75
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660FA60 push ecx; ret 4_2_0660FBCF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660F860 push ecx; ret 4_2_0660FA0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660F773 push ecx; ret 4_2_0660F7AB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_06613F7A push ecx; ret 4_2_0660F7AB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660F740 push ecx; ret 4_2_0660F7AB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660FA20 push ecx; ret 4_2_0660FBCF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660FBE0 push ecx; ret 4_2_0660FD75
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0660F820 push ecx; ret 4_2_0660FA0A
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\gufcrfmk.iiun Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\gufcrfmk.iiun Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D51BD3 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 0_2_00D51BD3
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_00FAF450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, 4_2_00FAF450
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_00FAF450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, 4_2_00FAF450
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\gufcrfmk.iiun Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\file.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe API coverage: 7.4 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D5249E FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00D5249E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01046920 GetFileAttributesW,_swprintf,FindFirstFileW,_free,GetLastError,FindNextFileW,FindClose,WideCharToMultiByte,_free,_free,GetLastError, 4_2_01046920
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D556B2 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, 0_2_00D556B2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun Jump to behavior
Source: fopholde.exe, 00000004.00000002.1488165504.0000000014208000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: GuaHGFSkP
Source: fopholde.exe, 00000004.00000002.1486314859.000000000193A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: fopholde.exe, 00000004.00000002.1486314859.000000000193A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8@
Source: fopholde.exe.2.dr Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01052920 ??0Unlocker@v8@@QAE@PAVIsolate@1@@Z,LdrInitializeThunk,?Exit@Isolate@v8@@QAEXXZ, 4_2_01052920
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01241CAA IsDebuggerPresent, 4_2_01241CAA
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_00FAF450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId, 4_2_00FAF450
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_010F41E0 VirtualAlloc ?,00001000,00001000,00000102,?,00009000,00000000,?,010F3A5C,? 4_2_010F41E0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D530D6 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00D530D6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D57260 SetUnhandledExceptionFilter, 0_2_00D57260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D57006 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00D57006
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0124DC97 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0124DC97
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Memory allocated: page readonly | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe fopholde.exe lfssylb.iiun 342745396 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D518BF LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary, 0_2_00D518BF
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Queries volume information: C:\Users VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Queries volume information: C:\Users\user VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Queries volume information: C:\Users\user\AppData VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Queries volume information: C:\Users\user\AppData\Local VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D574B9 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00D574B9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D52DA4 GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle, 0_2_00D52DA4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0104A1B0 uv_pipe_bind,WaitNamedPipeW,WaitNamedPipeW,GetLastError,GetLastError,GetLastError,PostQueuedCompletionStatus,GetLastError,uv_pipe_connect,GetLastError,WaitNamedPipeW,MultiByteToWideChar, 4_2_0104A1B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_010509D0 uv_udp_set_ttl,uv_udp_bind,setsockopt,WSAGetLastError, 4_2_010509D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0106A1F0 ?SetDebugEventListener2@Debug@v8@@SA_NP6AXABVEventDetails@12@@ZV?$Handle@VValue@v8@@@2@@Z, 4_2_0106A1F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0106A040 ?SetDebugEventListener@Debug@v8@@SA_NP6AXW4DebugEvent@2@V?$Handle@VObject@v8@@@2@1V?$Handle@VValue@v8@@@2@@Z2@Z, 4_2_0106A040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01050890 uv_udp_set_broadcast,uv_udp_bind,setsockopt,WSAGetLastError, 4_2_01050890
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01050300 uv_udp_bind6, 4_2_01050300
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01050B30 uv_udp_set_multicast_loop,uv_udp_bind,setsockopt,WSAGetLastError, 4_2_01050B30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01068370 ?AddMessageListener@V8@v8@@SA_NP6AXV?$Handle@VMessage@v8@@@2@V?$Handle@VValue@v8@@@2@@Z1@Z, 4_2_01068370
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0106A3A0 ?SetDebugEventListener@Debug@v8@@SA_NV?$Handle@VObject@v8@@@2@V?$Handle@VValue@v8@@@2@@Z, 4_2_0106A3A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_010493C0 uv_listen, 4_2_010493C0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0104FBE0 socket,closesocket,setsockopt,bind,WSAGetLastError, 4_2_0104FBE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01050260 uv_udp_bind, 4_2_01050260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01050A80 uv_udp_set_multicast_ttl,uv_udp_bind,setsockopt,WSAGetLastError, 4_2_01050A80
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0104E2C0 uv_tcp_bind,GetLastError,WSAGetLastError, 4_2_0104E2C0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0104E510 uv_tcp_bind6,GetLastError,WSAGetLastError, 4_2_0104E510
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01068540 ?RemoveMessageListeners@V8@v8@@SAXP6AXV?$Handle@VMessage@v8@@@2@V?$Handle@VValue@v8@@@2@@Z@Z, 4_2_01068540
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0103BDB0 uv_tcp_bind, 4_2_0103BDB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0104FCD0 socket,WSAGetLastError,closesocket,setsockopt,bind, 4_2_0104FCD0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0103BF40 uv_udp_bind6, 4_2_0103BF40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0104FF40 uv_udp_bind, 4_2_0104FF40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_01050790 uv_udp_set_membership,uv_udp_bind,inet_addr,inet_addr,htonl,inet_addr,setsockopt,WSAGetLastError, 4_2_01050790
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0103BE30 uv_tcp_bind6, 4_2_0103BE30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe Code function: 4_2_0103BEC0 uv_udp_bind, 4_2_0103BEC0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1538238 Sample: file.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 14 6 file.exe 1 9 2->6         started        9 rundll32.exe 2->9         started        file3 18 C:\Users\user\AppData\Local\...\gufcrfmk.iiun, PE32+ 6->18 dropped 11 cmd.exe 2 6->11         started        process4 file5 20 C:\Users\user\AppData\Local\...\fopholde.exe, PE32 11->20 dropped 14 fopholde.exe 1 11->14         started        16 conhost.exe 11->16         started        process6
No contacted IP infos