Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1543491
MD5: eab6ffe7b3ed8b11859e3c2858cb1b48
SHA1: c825fcb349ed78c6fe437605ef17a9c1ab76fc32
SHA256: ddff18268a87a6d5200836c3219ba973a0e1a60135d5e543cf06d315348ab71b
Tags: exeuser-Bitsight
Infos:

Detection

CredGrabber, Meduza Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Sets debug register (to hijack the execution of another thread)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Found malware configuration
Source: 0.2.file.exe.7ff684ca4000.1.raw.unpack Malware Configuration Extractor: Meduza Stealer {"C2 url": "176.124.204.206", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt", "build_name": "mob2", "links": "", "port": 15666}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 13%
Source: file.exe Virustotal: Detection: 13% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140073B40 CryptUnprotectData,LocalFree, 2_2_0000000140073B40
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140038060 CryptUnprotectData,LocalFree, 2_2_0000000140038060
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400D7090 CryptUnprotectData, 2_2_00000001400D7090
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400D7098 CryptProtectData, 2_2_00000001400D7098
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140073E40 CryptProtectData,LocalFree, 2_2_0000000140073E40
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140037350 FindFirstFileW,FindNextFileW, 2_2_0000000140037350
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400BB6BC FindClose,FindFirstFileExW,GetLastError, 2_2_00000001400BB6BC
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400BB76C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 2_2_00000001400BB76C
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400D7100 FindFirstFileW, 2_2_00000001400D7100
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140082D90 GetLogicalDriveStringsW, 2_2_0000000140082D90
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.6:49710 -> 176.124.204.206:15666
Source: Network traffic Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.6:49710 -> 176.124.204.206:15666
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49710 -> 176.124.204.206:15666
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 176.124.204.206 176.124.204.206
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GULFSTREAMUA GULFSTREAMUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.6:49710 -> 176.124.204.206:15666
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: unknown TCP traffic detected without corresponding DNS query: 176.124.204.206
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140080480 recv,recv,closesocket,WSACleanup, 2_2_0000000140080480
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: file.exe String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: file.exe String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: attrib.exe, 00000002.00000003.2175011716.000001CBC6811000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248296366.000001CBC6820000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248418397.000001CBC6820000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248681142.000001CBC6824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.a.0/sTy
Source: attrib.exe, 00000002.00000003.2175011716.000001CBC6811000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248296366.000001CBC6820000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248418397.000001CBC6820000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248681142.000001CBC6824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.c.0/ti
Source: attrib.exe, 00000002.00000003.2175011716.000001CBC6811000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248296366.000001CBC6820000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248418397.000001CBC6820000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248681142.000001CBC6824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.hotosh
Source: attrib.exe, 00000002.00000003.2175011716.000001CBC6811000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248296366.000001CBC6820000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248418397.000001CBC6820000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248681142.000001CBC6824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adoraw-se
Source: attrib.exe, 00000002.00000003.2175011716.000001CBC6811000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248296366.000001CBC6820000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248418397.000001CBC6820000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2248681142.000001CBC6824000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.photo/
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0H
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0I
Source: file.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: attrib.exe, 00000002.00000003.2178063570.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2177693075.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2178261280.000001CBC6AF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: attrib.exe, 00000002.00000002.2249385777.000001CBC4B34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: attrib.exe, 00000002.00000003.2176826581.000001CBC4BA9000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000002.2249385777.000001CBC4B88000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2179977325.000001CBC4BA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: attrib.exe, 00000002.00000003.2188497809.000001CBC6B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189
Source: attrib.exe, 00000002.00000003.2188497809.000001CBC6B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: attrib.exe, 00000002.00000003.2188497809.000001CBC6B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: attrib.exe, 00000002.00000003.2178063570.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2177693075.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2178261280.000001CBC6AF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: attrib.exe, 00000002.00000003.2178063570.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2177693075.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2178261280.000001CBC6AF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: attrib.exe, 00000002.00000003.2178063570.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2177693075.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2178261280.000001CBC6AF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: attrib.exe, 00000002.00000003.2187827583.000001CBC6C49000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2188497809.000001CBC6B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: attrib.exe, 00000002.00000003.2188497809.000001CBC6B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: attrib.exe, 00000002.00000003.2178063570.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2177693075.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: attrib.exe, 00000002.00000003.2178063570.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2177693075.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: attrib.exe, 00000002.00000003.2178063570.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2177693075.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: attrib.exe, 00000002.00000003.2188497809.000001CBC6B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: attrib.exe, 00000002.00000003.2181457177.000001CBC6D80000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2187555693.000001CBC6CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: attrib.exe, 00000002.00000003.2187827583.000001CBC6BB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: attrib.exe, 00000002.00000003.2187827583.000001CBC6BB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: attrib.exe, 00000002.00000003.2188497809.000001CBC6B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: file.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: attrib.exe, 00000002.00000003.2178063570.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2177693075.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2178261280.000001CBC6AF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: attrib.exe, 00000002.00000003.2178063570.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2177693075.000001CBC6B5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: attrib.exe, 00000002.00000003.2181457177.000001CBC6D88000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2182753886.000001CBC7782000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2187827583.000001CBC6BAE000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2181457177.000001CBC6E0B000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2187555693.000001CBC6CA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: attrib.exe, 00000002.00000003.2181457177.000001CBC6D80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org#
Source: attrib.exe, 00000002.00000003.2187827583.000001CBC6BB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: attrib.exe, 00000002.00000003.2187827583.000001CBC6BB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: attrib.exe, 00000002.00000003.2187827583.000001CBC6BB6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: attrib.exe, 00000002.00000003.2188497809.000001CBC6B20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49712 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140081580 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 2_2_0000000140081580
Contains functionality to call native functions
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140086060 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 2_2_0000000140086060
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400D76C0 NtQuerySystemInformation, 2_2_00000001400D76C0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400D76D0 NtAllocateVirtualMemory,LdrEnumerateLoadedModules, 2_2_00000001400D76D0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140085920 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle, 2_2_0000000140085920
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CE9620 0_2_00007FF684CE9620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CF15F0 0_2_00007FF684CF15F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684D3D9CC 0_2_00007FF684D3D9CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684D2D580 0_2_00007FF684D2D580
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684D2DEE0 0_2_00007FF684D2DEE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CD5680 0_2_00007FF684CD5680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CDB6B0 0_2_00007FF684CDB6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CD5250 0_2_00007FF684CD5250
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CD4C20 0_2_00007FF684CD4C20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CE9BE0 0_2_00007FF684CE9BE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684D1CFD0 0_2_00007FF684D1CFD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CDCF80 0_2_00007FF684CDCF80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684D61380 0_2_00007FF684D61380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684D5EB6C 0_2_00007FF684D5EB6C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CD4530 0_2_00007FF684CD4530
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684D1DCF0 0_2_00007FF684D1DCF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CF14F0 0_2_00007FF684CF14F0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140083040 2_2_0000000140083040
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140063210 2_2_0000000140063210
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140082240 2_2_0000000140082240
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400A22FC 2_2_00000001400A22FC
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140037350 2_2_0000000140037350
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400443F0 2_2_00000001400443F0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140080480 2_2_0000000140080480
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140081580 2_2_0000000140081580
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140088578 2_2_0000000140088578
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400BB76C 2_2_00000001400BB76C
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014007A8F0 2_2_000000014007A8F0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014003D930 2_2_000000014003D930
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014003E9C0 2_2_000000014003E9C0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140083A60 2_2_0000000140083A60
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014008AAE0 2_2_000000014008AAE0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140080CC0 2_2_0000000140080CC0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140098E40 2_2_0000000140098E40
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140088F60 2_2_0000000140088F60
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014009EFBC 2_2_000000014009EFBC
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400C3010 2_2_00000001400C3010
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140007010 2_2_0000000140007010
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140086060 2_2_0000000140086060
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014003F060 2_2_000000014003F060
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400060C0 2_2_00000001400060C0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400970EC 2_2_00000001400970EC
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400A00E4 2_2_00000001400A00E4
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140031130 2_2_0000000140031130
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140050189 2_2_0000000140050189
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014003B1E0 2_2_000000014003B1E0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400A11E4 2_2_00000001400A11E4
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014005B290 2_2_000000014005B290
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400382B0 2_2_00000001400382B0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400322AE 2_2_00000001400322AE
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014006E2C0 2_2_000000014006E2C0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140057300 2_2_0000000140057300
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014003C300 2_2_000000014003C300
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140096344 2_2_0000000140096344
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140072360 2_2_0000000140072360
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400AB398 2_2_00000001400AB398
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400BE400 2_2_00000001400BE400
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140086460 2_2_0000000140086460
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140006480 2_2_0000000140006480
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140078490 2_2_0000000140078490
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140074520 2_2_0000000140074520
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014009652C 2_2_000000014009652C
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400A2578 2_2_00000001400A2578
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014009A5CC 2_2_000000014009A5CC
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400665D0 2_2_00000001400665D0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014006E5F0 2_2_000000014006E5F0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400975F4 2_2_00000001400975F4
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014008D60A 2_2_000000014008D60A
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014009263C 2_2_000000014009263C
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400A6634 2_2_00000001400A6634
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014006A660 2_2_000000014006A660
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140096714 2_2_0000000140096714
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400A0764 2_2_00000001400A0764
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014004E7A9 2_2_000000014004E7A9
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400A97C4 2_2_00000001400A97C4
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140031820 2_2_0000000140031820
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014007C840 2_2_000000014007C840
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014004C870 2_2_000000014004C870
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140006900 2_2_0000000140006900
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014006E910 2_2_000000014006E910
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400299B0 2_2_00000001400299B0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400269C0 2_2_00000001400269C0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014007E9E3 2_2_000000014007E9E3
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014007E9F3 2_2_000000014007E9F3
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140027A00 2_2_0000000140027A00
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140094A50 2_2_0000000140094A50
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400A2B00 2_2_00000001400A2B00
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400A7B08 2_2_00000001400A7B08
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140092B34 2_2_0000000140092B34
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140071B80 2_2_0000000140071B80
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140079BD0 2_2_0000000140079BD0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014006EC30 2_2_000000014006EC30
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014009FC34 2_2_000000014009FC34
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014005CD2D 2_2_000000014005CD2D
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140070D50 2_2_0000000140070D50
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140096D5C 2_2_0000000140096D5C
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140076D60 2_2_0000000140076D60
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014003CDE0 2_2_000000014003CDE0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400AAE2C 2_2_00000001400AAE2C
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140039E39 2_2_0000000140039E39
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140031E50 2_2_0000000140031E50
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140071EB0 2_2_0000000140071EB0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400A5EC4 2_2_00000001400A5EC4
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014004CF20 2_2_000000014004CF20
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014006EF60 2_2_000000014006EF60
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400BDF80 2_2_00000001400BDF80
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014006DFC0 2_2_000000014006DFC0
Found potential string decryption / allocating functions
Source: C:\Windows\System32\attrib.exe Code function: String function: 0000000140032280 appears 55 times
Source: C:\Windows\System32\attrib.exe Code function: String function: 000000014002DA30 appears 50 times
Source: C:\Windows\System32\attrib.exe Code function: String function: 0000000140036EF0 appears 41 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
PE file contains more sections than normal
Source: file.exe Static PE information: Number of sections : 18 > 10
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/1@1/2
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400878B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 2_2_00000001400878B0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400D7008 AdjustTokenPrivileges, 2_2_00000001400D7008
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014003E9C0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 2_2_000000014003E9C0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400D7720 CoCreateInstance, 2_2_00000001400D7720
Source: C:\Windows\System32\attrib.exe Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963CD40775F
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 13%
Source: file.exe Virustotal: Detection: 13%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: wintypes.dll Jump to behavior
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static file information: File size 1477025 > 1048576
Source: file.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x140a00
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014003D930 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 2_2_000000014003D930
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1690d7 should be: 0x174d44
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .xdata
Source: file.exe Static PE information: section name: /4
Source: file.exe Static PE information: section name: /19
Source: file.exe Static PE information: section name: /31
Source: file.exe Static PE information: section name: /45
Source: file.exe Static PE information: section name: /57
Source: file.exe Static PE information: section name: /70
Source: file.exe Static PE information: section name: /81
Terminates after testing mutex exists (may check infected machine status)
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140078020 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle, 2_2_0000000140078020
Found evasive API chain (date check)
Source: C:\Windows\System32\attrib.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140037350 FindFirstFileW,FindNextFileW, 2_2_0000000140037350
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400BB6BC FindClose,FindFirstFileExW,GetLastError, 2_2_00000001400BB6BC
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400BB76C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 2_2_00000001400BB76C
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400D7100 FindFirstFileW, 2_2_00000001400D7100
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140082D90 GetLogicalDriveStringsW, 2_2_0000000140082D90
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140098CE0 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 2_2_0000000140098CE0
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: attrib.exe, 00000002.00000002.2249385777.000001CBC4B34000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2176826581.000001CBC4BA9000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000002.2249385777.000001CBC4B88000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2179977325.000001CBC4BA9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: attrib.exe, 00000002.00000003.2246844927.000001CBC6C49000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000002.2250160481.000001CBC6C49000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2187827583.000001CBC6C49000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2180361422.000001CBC6C49000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2244587102.000001CBC6C49000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2191849948.000001CBC6C49000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2247908181.000001CBC6C49000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2246418984.000001CBC6C49000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: YuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A
Source: attrib.exe, 00000002.00000002.2249385777.000001CBC4B88000.00000004.00000020.00020000.00000000.sdmp, attrib.exe, 00000002.00000003.2179977325.000001CBC4BA9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWa
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: attrib.exe, 00000002.00000003.2179069441.000001CBC6C50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Windows\System32\attrib.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\attrib.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\attrib.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140086060 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 2_2_0000000140086060
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140091688 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0000000140091688
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400BD6E0 GetLastError,IsDebuggerPresent,OutputDebugStringW, 2_2_00000001400BD6E0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\attrib.exe Code function: 2_2_000000014003D930 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 2_2_000000014003D930
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400A9084 GetProcessHeap, 2_2_00000001400A9084
Enables debug privileges
Source: C:\Windows\System32\attrib.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CA1180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm, 0_2_00007FF684CA1180
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CA3111 SetUnhandledExceptionFilter, 0_2_00007FF684CA3111
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684DE9388 SetUnhandledExceptionFilter,malloc, 0_2_00007FF684DE9388
Source: C:\Windows\System32\attrib.exe Code function: 2_2_00000001400D72E0 SetUnhandledExceptionFilter, 2_2_00000001400D72E0
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140091688 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0000000140091688

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\System32\attrib.exe base: 140000000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CA1719 GetModuleFileNameA,memset,memset,CreateProcessA,CreateProcessA,GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,puts,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,SetThreadContext,ResumeThread,ResumeThread, 0_2_00007FF684CA1719
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\attrib.exe base: 140000000 value starts with: 4D5A Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\file.exe Thread register set: target process: 3548 Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Users\user\Desktop\file.exe Thread register set: 3548 20A6AE70000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\attrib.exe base: 140000000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\attrib.exe base: 140001000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\attrib.exe base: 1400D7000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\attrib.exe base: 140135000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\attrib.exe base: 14013D000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\attrib.exe base: 140144000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\attrib.exe base: 140145000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\attrib.exe base: 140146000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\attrib.exe base: D09B29010 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140076D60 ShellExecuteW, 2_2_0000000140076D60
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\attrib.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 2_2_00000001400A80AC
Source: C:\Windows\System32\attrib.exe Code function: GetLocaleInfoEx,FormatMessageA, 2_2_00000001400BB330
Source: C:\Windows\System32\attrib.exe Code function: EnumSystemLocalesW, 2_2_00000001400A83F8
Source: C:\Windows\System32\attrib.exe Code function: EnumSystemLocalesW, 2_2_00000001400A84C8
Source: C:\Windows\System32\attrib.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_00000001400A8560
Source: C:\Windows\System32\attrib.exe Code function: EnumSystemLocalesW, 2_2_000000014009D620
Source: C:\Windows\System32\attrib.exe Code function: GetLocaleInfoW, 2_2_00000001400A87AC
Source: C:\Windows\System32\attrib.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_00000001400A8904
Source: C:\Windows\System32\attrib.exe Code function: GetLocaleInfoW, 2_2_00000001400A89B4
Source: C:\Windows\System32\attrib.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00000001400A8AE0
Source: C:\Windows\System32\attrib.exe Code function: GetLocaleInfoW, 2_2_000000014009DB64
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\attrib.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\attrib.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF684CA1450 GetSystemTime,GetCurrentDirectoryA, 0_2_00007FF684CA1450
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140081B60 GetUserNameW, 2_2_0000000140081B60
Source: C:\Windows\System32\attrib.exe Code function: 2_2_0000000140083040 GetTimeZoneInformation, 2_2_0000000140083040

Stealing of Sensitive Information
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: attrib.exe PID: 3548, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: 00000002.00000002.2249385777.000001CBC4B34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: attrib.exe PID: 3548, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: attrib.exe, 00000002.00000002.2249385777.000001CBC4B34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum\wallets
Source: attrib.exe, 00000002.00000002.2249385777.000001CBC4B34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ElectronCash\config
Source: attrib.exe, 00000002.00000003.2177938050.000001CBC4BF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzNF0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNTVdCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K
Source: attrib.exe, 00000002.00000002.2249385777.000001CBC4B34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus\exodus.wallet
Source: attrib.exe, 00000002.00000002.2249385777.000001CBC4B34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Source: attrib.exe, 00000002.00000002.2249385777.000001CBC4B34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum\keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\System32\attrib.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior

Remote Access Functionality
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: attrib.exe PID: 3548, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: 00000002.00000002.2249385777.000001CBC4B34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: attrib.exe PID: 3548, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543491 Sample: file.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 16 api.ipify.org 2->16 22 Suricata IDS alerts for network traffic 2->22 24 Found malware configuration 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 4 other signatures 2->28 7 file.exe 1 2->7         started        signatures3 process4 signatures5 30 Contains functionality to inject code into remote processes 7->30 32 Sets debug register (to hijack the execution of another thread) 7->32 34 Writes to foreign memory regions 7->34 36 3 other signatures 7->36 10 attrib.exe 6 7->10         started        14 conhost.exe 7->14         started        process6 dnsIp7 18 176.124.204.206, 15666, 49710 GULFSTREAMUA Russian Federation 10->18 20 api.ipify.org 172.67.74.152, 443, 49712 CLOUDFLARENETUS United States 10->20 38 Found many strings related to Crypto-Wallets (likely being stolen) 10->38 40 Tries to harvest and steal browser information (history, passwords, etc) 10->40 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.124.204.206
 unknown Russian Federation
59652 GULFSTREAMUA true
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 172.67.74.152 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
 unknown