Windows Analysis Report
iuhmzvlH.cmd

Overview

General Information

Sample name: iuhmzvlH.cmd
Analysis ID: 1562861
MD5: b87f096cbc25570329e2bb59fee57580
SHA1: d281d1bf37b4fb46f90973afc65eece3908532b2
SHA256: d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
Tags: cmddoganalecmduser-JAMESWT_MHT
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Sigma detected: Execution from Suspicious Folder
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension

Classification

Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000002.00000003.2054845712.00000133B7990000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.2058646531.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000000.2059683551.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000000.2060949975.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000002.2157971587.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000000.2158815042.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000002.2161338491.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000002.2162246691.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000000.2161703712.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000002.2163213670.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000000.2162595664.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif.2.dr
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000004.00000003.2056904803.00000256300D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000008.00000000.2061254196.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif, 00000008.00000002.2157147929.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif.4.dr
Source: Binary string: cmd.pdb source: esentutl.exe, 00000002.00000003.2054845712.00000133B7990000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.2058646531.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000000.2059683551.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000000.2060949975.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000002.2157971587.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000000.2158815042.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000002.2161338491.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000002.2162246691.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000000.2161703712.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000002.2163213670.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000000.2162595664.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif.2.dr
Source: Binary string: ping.pdb source: esentutl.exe, 00000004.00000003.2056904803.00000256300D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000008.00000000.2061254196.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif, 00000008.00000002.2157147929.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif.4.dr
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 5_2_00007FF718D52978
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 5_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 5_2_00007FF718D41560
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 5_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose, 5_2_00007FF718D67B4C
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 6_2_00007FF718D52978
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 6_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 6_2_00007FF718D41560
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 6_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose, 6_2_00007FF718D67B4C
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 9_2_00007FF718D52978
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 9_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 9_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 9_2_00007FF718D41560
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose, 9_2_00007FF718D67B4C
Contains functionality to call native functions
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D589E4 NtQueryInformationToken,NtQueryInformationToken, 5_2_00007FF718D589E4
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D5898C NtQueryInformationToken, 5_2_00007FF718D5898C
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D43D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 5_2_00007FF718D43D94
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D71538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 5_2_00007FF718D71538
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D57FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, 5_2_00007FF718D57FF8
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D58114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 5_2_00007FF718D58114
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D6BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 5_2_00007FF718D6BCF0
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D588C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 5_2_00007FF718D588C0
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D589E4 NtQueryInformationToken,NtQueryInformationToken, 6_2_00007FF718D589E4
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D5898C NtQueryInformationToken, 6_2_00007FF718D5898C
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D43D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 6_2_00007FF718D43D94
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D71538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 6_2_00007FF718D71538
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D57FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, 6_2_00007FF718D57FF8
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D58114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 6_2_00007FF718D58114
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D6BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 6_2_00007FF718D6BCF0
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D588C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 6_2_00007FF718D588C0
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D57FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError, 9_2_00007FF718D57FF8
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D58114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 9_2_00007FF718D58114
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D589E4 NtQueryInformationToken,NtQueryInformationToken, 9_2_00007FF718D589E4
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D5898C NtQueryInformationToken, 9_2_00007FF718D5898C
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D43D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 9_2_00007FF718D43D94
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D71538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 9_2_00007FF718D71538
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D6BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 9_2_00007FF718D6BCF0
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D588C0 NtOpenThreadToken,NtOpenProcessToken,NtClose, 9_2_00007FF718D588C0
Contains functionality to communicate with device drivers
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D45240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z, 5_2_00007FF718D45240
Contains functionality to launch a process as a different user
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D54224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList, 5_2_00007FF718D54224
Creates files inside the system directory
Source: C:\Users\Public\alpha.pif File created: C:\Windows Jump to behavior
Source: C:\Users\Public\alpha.pif File created: C:\Windows \SysWOW64 Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\Public\alpha.pif File deleted: C:\Windows \SysWOW64 Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D55554 5_2_00007FF718D55554
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D47D30 5_2_00007FF718D47D30
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D4AA54 5_2_00007FF718D4AA54
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D537D8 5_2_00007FF718D537D8
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D48DF8 5_2_00007FF718D48DF8
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D4CE10 5_2_00007FF718D4CE10
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D481D4 5_2_00007FF718D481D4
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D6D9D0 5_2_00007FF718D6D9D0
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D71538 5_2_00007FF718D71538
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D67F00 5_2_00007FF718D67F00
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D46EE4 5_2_00007FF718D46EE4
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D4E680 5_2_00007FF718D4E680
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D6EE88 5_2_00007FF718D6EE88
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D50A6C 5_2_00007FF718D50A6C
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D45240 5_2_00007FF718D45240
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D47650 5_2_00007FF718D47650
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D4D250 5_2_00007FF718D4D250
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D49E50 5_2_00007FF718D49E50
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D54224 5_2_00007FF718D54224
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D42220 5_2_00007FF718D42220
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D44A30 5_2_00007FF718D44A30
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D6AA30 5_2_00007FF718D6AA30
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D43410 5_2_00007FF718D43410
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D46BE0 5_2_00007FF718D46BE0
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D6AFBC 5_2_00007FF718D6AFBC
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D43F90 5_2_00007FF718D43F90
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D45B70 5_2_00007FF718D45B70
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D49B50 5_2_00007FF718D49B50
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D4372C 5_2_00007FF718D4372C
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D48510 5_2_00007FF718D48510
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D4B0D8 5_2_00007FF718D4B0D8
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D518D4 5_2_00007FF718D518D4
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D41884 5_2_00007FF718D41884
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D42C48 5_2_00007FF718D42C48
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D6AC4C 5_2_00007FF718D6AC4C
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D57854 5_2_00007FF718D57854
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D55554 6_2_00007FF718D55554
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D47D30 6_2_00007FF718D47D30
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D4AA54 6_2_00007FF718D4AA54
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D537D8 6_2_00007FF718D537D8
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D48DF8 6_2_00007FF718D48DF8
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D4CE10 6_2_00007FF718D4CE10
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D481D4 6_2_00007FF718D481D4
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D6D9D0 6_2_00007FF718D6D9D0
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D71538 6_2_00007FF718D71538
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D67F00 6_2_00007FF718D67F00
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D46EE4 6_2_00007FF718D46EE4
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D4E680 6_2_00007FF718D4E680
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D6EE88 6_2_00007FF718D6EE88
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D50A6C 6_2_00007FF718D50A6C
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D45240 6_2_00007FF718D45240
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D47650 6_2_00007FF718D47650
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D4D250 6_2_00007FF718D4D250
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D49E50 6_2_00007FF718D49E50
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D54224 6_2_00007FF718D54224
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D42220 6_2_00007FF718D42220
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D44A30 6_2_00007FF718D44A30
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D6AA30 6_2_00007FF718D6AA30
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D43410 6_2_00007FF718D43410
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D46BE0 6_2_00007FF718D46BE0
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D6AFBC 6_2_00007FF718D6AFBC
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D43F90 6_2_00007FF718D43F90
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D45B70 6_2_00007FF718D45B70
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D49B50 6_2_00007FF718D49B50
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D4372C 6_2_00007FF718D4372C
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D48510 6_2_00007FF718D48510
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D4B0D8 6_2_00007FF718D4B0D8
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D518D4 6_2_00007FF718D518D4
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D41884 6_2_00007FF718D41884
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D42C48 6_2_00007FF718D42C48
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D6AC4C 6_2_00007FF718D6AC4C
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D57854 6_2_00007FF718D57854
Source: C:\Users\Public\xpha.pif Code function: 8_2_00007FF6F7631B5C 8_2_00007FF6F7631B5C
Source: C:\Users\Public\xpha.pif Code function: 8_2_00007FF6F7631340 8_2_00007FF6F7631340
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D48DF8 9_2_00007FF718D48DF8
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D55554 9_2_00007FF718D55554
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D4AA54 9_2_00007FF718D4AA54
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D537D8 9_2_00007FF718D537D8
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D57854 9_2_00007FF718D57854
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D4CE10 9_2_00007FF718D4CE10
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D481D4 9_2_00007FF718D481D4
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D6D9D0 9_2_00007FF718D6D9D0
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D71538 9_2_00007FF718D71538
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D47D30 9_2_00007FF718D47D30
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D67F00 9_2_00007FF718D67F00
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D46EE4 9_2_00007FF718D46EE4
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D4E680 9_2_00007FF718D4E680
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D6EE88 9_2_00007FF718D6EE88
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D50A6C 9_2_00007FF718D50A6C
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D45240 9_2_00007FF718D45240
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D47650 9_2_00007FF718D47650
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D4D250 9_2_00007FF718D4D250
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D49E50 9_2_00007FF718D49E50
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D54224 9_2_00007FF718D54224
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D42220 9_2_00007FF718D42220
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D44A30 9_2_00007FF718D44A30
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D6AA30 9_2_00007FF718D6AA30
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D43410 9_2_00007FF718D43410
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D46BE0 9_2_00007FF718D46BE0
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D6AFBC 9_2_00007FF718D6AFBC
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D43F90 9_2_00007FF718D43F90
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D45B70 9_2_00007FF718D45B70
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D49B50 9_2_00007FF718D49B50
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D4372C 9_2_00007FF718D4372C
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D48510 9_2_00007FF718D48510
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D4B0D8 9_2_00007FF718D4B0D8
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D518D4 9_2_00007FF718D518D4
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D41884 9_2_00007FF718D41884
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D42C48 9_2_00007FF718D42C48
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D6AC4C 9_2_00007FF718D6AC4C
Found potential string decryption / allocating functions
Source: C:\Users\Public\alpha.pif Code function: String function: 00007FF718D53448 appears 54 times
Source: classification engine Classification label: mal56.evad.winCMD@20/4@0/1
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D432B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError, 5_2_00007FF718D432B0
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D6FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z, 5_2_00007FF718D6FB54
Source: C:\Windows\System32\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_03
Source: C:\Windows\System32\esentutl.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\iuhmzvlH.cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\esentutl.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\esentutl.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\xpha.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\xpha.pif Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\Public\xpha.pif Section loaded: mswsock.dll Jump to behavior
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000002.00000003.2054845712.00000133B7990000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.2058646531.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000000.2059683551.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000000.2060949975.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000002.2157971587.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000000.2158815042.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000002.2161338491.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000002.2162246691.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000000.2161703712.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000002.2163213670.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000000.2162595664.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif.2.dr
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000004.00000003.2056904803.00000256300D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000008.00000000.2061254196.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif, 00000008.00000002.2157147929.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif.4.dr
Source: Binary string: cmd.pdb source: esentutl.exe, 00000002.00000003.2054845712.00000133B7990000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000005.00000000.2058646531.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000005.00000002.2059253636.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000002.2060554341.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000006.00000000.2059683551.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000000.2060949975.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000007.00000002.2157971587.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000000.2158815042.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 00000009.00000002.2161338491.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000002.2162246691.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000A.00000000.2161703712.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000002.2163213670.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif, 0000000B.00000000.2162595664.00007FF718D72000.00000002.00000001.01000000.00000004.sdmp, alpha.pif.2.dr
Source: Binary string: ping.pdb source: esentutl.exe, 00000004.00000003.2056904803.00000256300D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000008.00000000.2061254196.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif, 00000008.00000002.2157147929.00007FF6F7634000.00000002.00000001.01000000.00000005.sdmp, xpha.pif.4.dr
Binary contains a suspicious time stamp
Source: alpha.pif.2.dr Static PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
PE file contains sections with non-standard names
Source: alpha.pif.2.dr Static PE information: section name: .didat

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\System32\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\System32\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Drops PE files
Source: C:\Windows\System32\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\System32\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\System32\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\System32\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\System32\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\Public\alpha.pif Evaded block: after key decision
Found large amount of non-executed APIs
Source: C:\Users\Public\alpha.pif API coverage: 6.5 %
Source: C:\Users\Public\alpha.pif API coverage: 6.3 %
Source: C:\Users\Public\alpha.pif API coverage: 8.4 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\Public\xpha.pif Last function: Thread delayed
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 5_2_00007FF718D52978
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 5_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 5_2_00007FF718D41560
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 5_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose, 5_2_00007FF718D67B4C
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 6_2_00007FF718D52978
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 6_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 6_2_00007FF718D41560
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 6_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose, 6_2_00007FF718D67B4C
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D52978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove, 9_2_00007FF718D52978
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D5823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose, 9_2_00007FF718D5823C
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D435B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose, 9_2_00007FF718D435B8
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D41560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 9_2_00007FF718D41560
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D67B4C FindFirstFileW,FindNextFileW,FindClose, 9_2_00007FF718D67B4C
Source: xpha.pif, 00000008.00000002.2156162133.000001F3A5759000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D663FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 5_2_00007FF718D663FC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D54A14 GetEnvironmentStringsW,GetProcessHeap,HeapAlloc,memmove,FreeEnvironmentStringsW, 5_2_00007FF718D54A14
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D58FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FF718D58FA4
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D593B0 SetUnhandledExceptionFilter, 5_2_00007FF718D593B0
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D58FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00007FF718D58FA4
Source: C:\Users\Public\alpha.pif Code function: 6_2_00007FF718D593B0 SetUnhandledExceptionFilter, 6_2_00007FF718D593B0
Source: C:\Users\Public\xpha.pif Code function: 8_2_00007FF6F7633840 SetUnhandledExceptionFilter, 8_2_00007FF6F7633840
Source: C:\Users\Public\xpha.pif Code function: 8_2_00007FF6F7633644 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF6F7633644
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D58FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00007FF718D58FA4
Source: C:\Users\Public\alpha.pif Code function: 9_2_00007FF718D593B0 SetUnhandledExceptionFilter, 9_2_00007FF718D593B0

HIPS / PFW / Operating System Protection Evasion
barindex
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\System32\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 5_2_00007FF718D551EC
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 5_2_00007FF718D53140
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 5_2_00007FF718D46EE4
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 6_2_00007FF718D551EC
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 6_2_00007FF718D53140
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 6_2_00007FF718D46EE4
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 9_2_00007FF718D551EC
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 9_2_00007FF718D53140
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc, 9_2_00007FF718D46EE4
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D59584 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 5_2_00007FF718D59584
Source: C:\Users\Public\alpha.pif Code function: 5_2_00007FF718D4586C GetVersion, 5_2_00007FF718D4586C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562861 Sample: iuhmzvlH.cmd Startdate: 26/11/2024 Architecture: WINDOWS Score: 56 28 Sigma detected: Execution from Suspicious Folder 2->28 7 cmd.exe 1 2->7         started        process3 process4 9 esentutl.exe 2 7->9         started        13 alpha.pif 1 7->13         started        15 esentutl.exe 2 7->15         started        17 6 other processes 7->17 file5 22 C:\Users\Public\alpha.pif, PE32+ 9->22 dropped 30 Drops PE files to the user root directory 9->30 32 Drops PE files with a suspicious file extension 9->32 34 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 9->34 19 xpha.pif 1 13->19         started        24 C:\Users\Public\xpha.pif, PE32+ 15->24 dropped signatures6 process7 dnsIp8 26 127.0.0.1 unknown unknown 19->26
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
127.0.0.1