ID: 317259 Sample Name: 9o4ec239o8 Cookbook: default.jbs Time: 14:41:35 Date: 15/11/2020 Version: 31.0.0 Red Diamond Table of Contents
Table of Contents 2 Analysis Report 9o4ec239o8 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Memory Dumps 4 Sigma Overview 4 Signature Overview 5 AV Detection: 5 E-Banking Fraud: 5 Hooking and other Techniques for Hiding and Protection: 5 Malware Analysis System Evasion: 5 HIPS / PFW / Operating System Protection Evasion: 5 Stealing of Sensitive Information: 5 Remote Access Functionality: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Domains and IPs 9 Contacted Domains 9 URLs from Memory and Binaries 9 Contacted IPs 9 Public 9 Private 10 General Information 10 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 13 General 13 File Icon 13 Static PE Info 13 General 13 Entrypoint Preview 13 Data Directories 14 Sections 15 Resources 15 Imports 16
Copyright null 2020 Page 2 of 23 Possible Origin 16 Network Behavior 16 TCP Packets 16 Code Manipulations 17 Statistics 17 Behavior 17 System Behavior 17 Analysis Process: 9o4ec239o8.exe PID: 2964 Parent PID: 5792 17 General 17 File Activities 18 File Created 18 File Deleted 18 File Written 18 Registry Activities 19 Key Value Created 19 Analysis Process: IKOa.exe PID: 5332 Parent PID: 2964 19 General 19 File Activities 19 File Read 19 Analysis Process: RegSvcs.exe PID: 5916 Parent PID: 5332 20 General 20 File Activities 20 File Created 20 File Written 20 File Read 21 Registry Activities 22 Key Created 22 Key Value Created 22 Analysis Process: rundll32.exe PID: 1460 Parent PID: 3472 22 General 22 Disassembly 23 Code Analysis 23
Copyright null 2020 Page 3 of 23 Analysis Report 9o4ec239o8
Overview
General Information Detection Signatures Classification
Sample 9o4ec239o8 (renamed file Name: extension from none to Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm… exe) YMYaaurrrlatai dAdeeVttte eScccttteaednd n IIImerm diiiennteennctttion for subm Analysis ID: 317259 AYAllallllooracca adttteestse mcteemd oIomrrryym iiininn feffoonrrrteeiiiggnn pprrroocceessss… MD5: dc094df610899b1…
HAHiliidldoeecssa tttehhsaa tttm ttthheeem ssoaarmy ippnlll eefo hhraeasisg bnbe epeernon c ddeooswws… Ransomware SHA1: ac9a225b8cff0a0… Miner Spreading IIHInnijjjdeeecctsttss t aha a PPt EEth ffefiiill lees a iiinnmtttoop laea ffhfooarrresei iigbgnen e ppnrrro odccoeew… SHA256: 3a26e36f25e5f3b… IInnjjeeccttss aa PPEE ffiillee iinnttoo aa ffoorreeiiggnn pprrooccee… mmaallliiiccciiioouusss
malicious
MInajaeccchhtisinn eae LPLeEeaa frrinlneiin nigng t dode eatte efcoctrtiieooinng nffoo prr r ssoaacmepp Evader Phishing Tags: ImminentRAT Maacchhiiinnee LLeeaarrrnniiinngg ddeettteecctttiiioonn fffoorrr ssaampp… sssuusssppiiiccciiioouusss suspicious
Most interesting Screenshot: cccllleeaann TMTrrraiiieecssh tittnooe dd Leeettteeaccrtntt sisnaagnn ddbebotoexxceetsiso anan nfdod r o osttthahemerrr…p clean
Exploiter Banker WTrrrireiiitttese sst o ttto od feffootrerreeciiitgg snna mndeebmoooxrreryys rr reaegngidiioo nonstsher
Imminent Writes to foreign memory regions AWAnnrttititiiveviiisrrru utsos ooforrr r Meiagacnchh miiinneem LLoeeraayrrr nnreiiinngggio ddneesttteecc… Spyware Trojan / Bot
Adware Score: 80 CAConontnivtttaairiiiunnss offfuurn nMcctattiiioconhnaianllliieittty yL fffeooarrr r rrrneeianadgd ddaeatttaea c fff… Range: 0 - 100 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy ttftoo r b brllleooacckdk mdaootuaus sf… Whitelisted: false CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cbchlhoeeccckkk m iiifff o aau dsd… Confidence: 100% CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa dd…
CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa wdw…
CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ccohomecmk uuifnn aiiicc awa… Startup CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyoynmnaammuiiicncaaiclllllalyy… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo edexyxenecacumuttteiec paprlrrloyo… System is w10x64 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo llelaaxuuenncccuhht e aa p pprrror… 9o4ec239o8.exe (PID: 2964 cmdline: 'C:\Users\user\Desktop\9o4ec239o8.exe' MD5: DC094DF610899B15AC114FD2D5B2D067) IKOa.exe (PID: 5332 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\IKOa.CeCxooenn tCttaaYiiinnfshs C fffuu nMnccDtttiiio5on:n aBalll0iiittt6yy E tttoo6 7lllaaFuu9nn7cc6hh7 aEa 5pp0rrr…23892D9698703AD098) RegSvcs.exe (PID: 5916 cmdline: 0 MD5: 2867A3817C9245F7CF518524DFD18F28) CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo oloappueennnc haa app ooprrrrttt… rundll32.exe (PID: 1460 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\' MD5: 73C519F050C20580F8A62C849D49215A) CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qoqupueerrnryy a CC pPPoUUrt … cleanup CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hCeeP ccUllliii…
CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrreettatrrridiiee vtvheee ii inncfflfoio…
CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo srsehhtuurittteddvooeww inn f///o … Malware Configuration CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ssiihimuutudlllaaotttwee n kk e/e … CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ssiiimuulllaatttee mke…
Contains functionality to simulate m No configs have been found CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh siiiccimhh umlaaatyey bbmee…
CCoonntttaaiiinnss llflouonngcg t sisollleneeaeplpistsy ( ((w>>=h= i 3c3h m miiinna)))y be
CCrroreenaattatteeinss s aa l oppnrrrogoc cseelsesses piiinns ss(u>us=sp p3ee nmnddiened)d moo…
DCDereettteaectcettteesd da p ppoortttoeecnnetttiisiaaslll cicnrrry yspputttoso p fffueunncdcttetiiiodon nmo Yara Overview DDrrerootpeppcpteedd fffpiiillleoe t seseneeteinan l i iincn r cycopontnonn efeuccntttiiciootnino wnwiiittthh…
DDrrrooppsps e PPdEE f ifflfieiilllee sseen in connection with Memory Dumps EDEnrnoaapbbslllee Pss E dd eefiblbeuusgg pprrriiivviiillleeggeess
Source Rule DescriptionEExnxttateebnnlsesiisivvA eedu euutbshsueoeg roo pfff rGiveeilttetPPgrrreoosccAAddddSrrrteersisnss g (((oso… 00000002.00000002.503196069.0000000002EF1000.00000 JoeSecurity_Imminent Yara detected Joe Security FEFoxoutuennndds aiav ehh iiiuggshhe nn ouufm GbbeeetrrPr oorofff cWAiiidnnddrooewws s /// U(Uoss… 004.00000001.sdmp Imminent FFoouunndd aa hhiigghh nnuumbbeerr ooff Wiinnddooww // UUss… Process Memory Space: RegSvcs.exe PID: 5916 JoeSecurity_Imminent Yara detecteFdFo ouunndd papJo ohottteiegn nhSttti iieanacllul usmstrttrrirbtiiinyneggr oddfee Wccrrryiynppdtttioiioownn /// aUa…s Imminent OFoSSu vnvederr rspsiioiotnne ntttooti a ssltt trrsriiintnrgign mg adapeppcpiriinyngpg t fiffoounun n/d da …
POPEES fffviiillleer cscoionnttt aatoiiinn ss t arainn g iiin nmvvaallpliiiddp iccnhhgee fccokkussnuudm
PPEE fffiiilllee ccoonntttaaiiinnss eaexnxe eicncuvutattaalbibdllle ec hrrreesscookusururrccmee…
Sigma Overview PPEE fffiiilllee ccoonntttaaiiinnss sesttxtrrraeancnuggteea brrreeless ooreuusrrrcoceeussrce
PPoEottt eefinlnettti iiacaloll knkeetayyi nllloosgg sggterearrr n ddgeeettte erccetttseeoddu (((rkkceeyys ss… No Sigma rule has matched QPouuteerrrniiieetissa lttt hhkee y vv oloolllugumgeeer iiidnnefffooterrrmctaeattdtiiioo (nnk e(((nyna asm…
SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem…
Sample execution stops while proce Copyright null 2020 Page 4 of 23 Signature Overview
• AV Detection • Cryptography • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Stealing of Sensitive Information • Remote Access Functionality
Click to jump to signature section
AV Detection:
Multi AV Scanner detection for submitted file
Yara detected Imminent
Machine Learning detection for sample
E-Banking Fraud:
Yara detected Imminent
Hooking and other Techniques for Hiding and Protection:
Hides that the sample has been downloaded from the Internet (zone.identifier)
Malware Analysis System Evasion:
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
HIPS / PFW / Operating System Protection Evasion:
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Writes to foreign memory regions
Stealing of Sensitive Information:
Yara detected Imminent
Remote Access Functionality:
Yara detected Imminent
Mitre Att&ck Matrix
Copyright null 2020 Page 5 of 23 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Native Application Exploitation for Disable or Modify Input System Time Remote Archive Exfiltration Over Other Ingress Tool Accounts 2 API 1 Shimming 1 Privilege Tools 1 1 Capture 2 1 Discovery 2 Services Collected Network Medium Transfer Escalation 1 Data 1
Default Command Valid Application Deobfuscate/Decode LSASS Account Discovery 1 Remote Input Exfiltration Over Encrypted Accounts and Scripting Accounts 2 Shimming 1 Files or Information 1 Memory Desktop Capture 2 1 Bluetooth Channel Interpreter 2 Protocol
Domain At (Linux) Logon Script Valid Accounts 2 Obfuscated Files or Security File and Directory SMB/Windows Clipboard Automated Exfiltration Steganography Accounts (Windows) Information 2 Account Discovery 1 Admin Shares Data 2 Manager
Local At (Windows) Logon Script Access Token Software Packing 1 NTDS System Information Distributed Input Capture Scheduled Transfer Protocol Accounts (Mac) Manipulation 2 1 Discovery 2 6 Component Impersonation Object Model Cloud Cron Network Process Masquerading 1 LSA Secrets Security Software SSH Keylogging Data Transfer Size Fallback Accounts Logon Script Injection 3 1 2 Discovery 1 3 1 Limits Channels
Replication Launchd Rc.common Rc.common Valid Accounts 2 Cached Virtualization/Sandbox VNC GUI Input Exfiltration Over C2 Multiband Through Domain Evasion 1 Capture Channel Communication Removable Credentials Media External Scheduled Startup Startup Items Virtualization/Sandbox DCSync Process Discovery 3 Windows Web Portal Exfiltration Over Commonly Remote Task Items Evasion 1 Remote Capture Alternative Protocol Used Port Services Management Drive-by Command Scheduled Scheduled Access Token Proc Application Window Shared Credential Exfiltration Over Application Compromise and Scripting Task/Job Task/Job Manipulation 2 1 Filesystem Discovery 1 1 Webroot API Hooking Symmetric Encrypted Layer Protocol Interpreter Non-C2 Protocol Exploit Public- PowerShell At (Linux) At (Linux) Process /etc/passwd System Owner/User Software Data Staged Exfiltration Over Web Protocols Facing Injection 3 1 2 and Discovery 1 Deployment Asymmetric Encrypted Application /etc/shadow Tools Non-C2 Protocol Supply Chain AppleScript At At (Windows) Hidden Files and Network Process Discovery Taint Shared Local Data Exfiltration Over File Transfer Compromise (Windows) Directories 1 Sniffing Content Staging Unencrypted/Obfuscated Protocols Non-C2 Protocol Compromise Windows Cron Cron Rundll32 1 Input Capture Permission Groups Replication Remote Data Exfiltration Over Mail Protocols Software Command Discovery Through Staging Physical Medium Dependencies Shell Removable and Media Development Tools
Behavior Graph
Copyright null 2020 Page 6 of 23 Hide Legend Behavior Graph
ID: 317259 Legend: Sample: 9o4ec239o8 Process Startdate: 15/11/2020 Architecture: WINDOWS Signature Score: 80 Created File DNS/IP Info Tries to detect sandboxes Multi AV Scanner detection Machine Learning detection and other dynamic analysis Yara detected Imminent started started for submitted file for sample tools (process name Is Dropped or module or function) Is Windows Process
Number of created Registry Values 9o4ec239o8.exe rundll32.exe Number of created Files
1 4 Visual Basic
dropped Delphi
Java C:\Users\user\AppData\Local\Temp\...\IKOa.exe, PE32 started .Net C# or VB.NET
C, C++ or other language IKOa.exe Is malicious
Internet
Writes to foreign memory Allocates memory in Injects a PE file into started regions foreign processes a foreign processes
RegSvcs.exe
1 5
192.168.200.198, 9003 unknown unknown
Hides that the sample has been downloaded from the Internet (zone.identifier)
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright null 2020 Page 7 of 23 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link 9o4ec239o8.exe 43% Virustotal Browse 9o4ec239o8.exe 27% Metadefender Browse 9o4ec239o8.exe 54% ReversingLabs Win32.Trojan.Sandstorm 9o4ec239o8.exe 100% Joe Sandbox ML
Dropped Files
Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\IXP000.TMP\IKOa.exe 3% Virustotal Browse C:\Users\user\AppData\Local\Temp\IXP000.TMP\IKOa.exe 5% Metadefender Browse C:\Users\user\AppData\Local\Temp\IXP000.TMP\IKOa.exe 0% ReversingLabs
Unpacked PE Files
Source Detection Scanner Label Link Download 2.2.RegSvcs.exe.b60000.0.unpack 100% Avira TR/Dropper.MSIL.Gen Download File
Domains
No Antivirus matches
Copyright null 2020 Page 8 of 23 URLs
No Antivirus matches
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation www.iptrackeronline.com/n RegSvcs.exe, 00000002.00000002 false high .503196069.0000000002EF1000.00 000004.00000001.sdmp goo.gl/YroZm" RegSvcs.exe, 00000002.00000002 false high .506265216.000000000477E000.00 000004.00000001.sdmp www.autoitscript.com/autoit3/J 9o4ec239o8.exe, 00000000.00000 false high 003.231419950.0000000004E71000 .00000004.00000001.sdmp, IKOa.exe, 00000001.00000000.2327735 26.0000000000108000.00000002.0 0020000.sdmp, IKOa.exe.0.dr www.iptrackeronline.com/ RegSvcs.exe, 00000002.00000002 false high .506265216.000000000477E000.00 000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.5031960 69.0000000002EF1000.00000004.0 0000001.sdmp www.autoitscript.com/autoit3/0 9o4ec239o8.exe, 00000000.00000 false high 003.231419950.0000000004E71000 .00000004.00000001.sdmp, IKOa. exe.0.dr
Contacted IPs
No. of IPs < 25% 25% < No. of IPs < 50%
50% < No. of IPs < 75% 75% < No. of IPs
Public
IP Domain Country Flag ASN ASN Name Malicious Copyright null 2020 Page 9 of 23 Private
IP 192.168.200.198
General Information
Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 317259 Start date: 15.11.2020 Start time: 14:41:35 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 5s Hypervisor based Inspection enabled: false Report type: light Sample file name: 9o4ec239o8 (renamed file extension from none to exe) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 22 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal80.troj.evad.winEXE@6/3@0/1 EGA Information: Failed HDC Information: Successful, ratio: 100% (good quality ratio 93.6%) Quality average: 69.5% Quality standard deviation: 26.9% HCA Information: Successful, ratio: 63% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found.
Simulations
Behavior and APIs
No simulations
Copyright null 2020 Page 10 of 23 Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Users\user\AppData\Local\Temp\IXP0 ShDH26FzZN.exe Get hash malicious Browse 00.TMP\IKOa.exe uc1CC3mRtg.exe Get hash malicious Browse Ayuda Covid-19.JS Get hash malicious Browse 0612 Boleto Atendimento - Imprimir.cmd Get hash malicious Browse 25Remit_Confirmation_and_Client_Information_Details.do.exe Get hash malicious Browse 17Invoice_022.exe Get hash malicious Browse 88PaymentAdvice56473689008763.exe Get hash malicious Browse 89COMPANY CATALOGpdf.exe Get hash malicious Browse 61PO-winlightin_10092018303.doc.exe Get hash malicious Browse 73Invoic.exe Get hash malicious Browse 10PAYMENT PROOF.doc Get hash malicious Browse 68Halkbank.doc Get hash malicious Browse 67Invoice#8021.exe.exe Get hash malicious Browse 67NEW_TELEX RELEASE383877474675857658575_PDF Get hash malicious Browse (2).exe 28Invoice#8021.exe.exe Get hash malicious Browse 45PO#13345.exe Get hash malicious Browse 29AWB_KD87371091.xls Get hash malicious Browse 29AWB_KD87371091.xls Get hash malicious Browse 18NEW ORDER.doc Get hash malicious Browse 11Statement Of Accoun.exe Get hash malicious Browse
Created / dropped Files
C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC Process: C:\Users\user\Desktop\9o4ec239o8.exe File Type: ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 438898 Entropy (8bit): 6.0513201851934735 Encrypted: false SSDEEP: 12288:qZcUFgMtBPXYPcNrppIOQ5u4od5D/LzPqQWV3piP:qZfFbBPVLQI48d/PzWVZq MD5: 57E99B38483B68CF91736C23AA2A15CD SHA1: 6FA931F55FB5EE6F5424A09FB4D1D97C317CD1C2 SHA-256: 421B6AC5FBCF8E93F314B9009D664982F1857796B9048FEF20D25E04B0306F06 SHA-512: ACD48D71052164A861464C15A497E58390C7FEB25E018D1972E28061A001D0BD5FE14A67F7D30C361212D9D423E06EB4406F2B66DBBA8F509B0AF5CC56F1BCC5 Malicious: false Reputation: low
Copyright null 2020 Page 11 of 23 C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC Preview: #NoTrayIcon..#EndRegion..Dim $GKVBSHReLP = "0"..Dim $KeKDhMVBhDZ = "IKOa"..Dim $QhiYhPRUbSTN = "CYfhC"..Dim $IdRMGVPZPKAJg = "ya5vSgvEXUtbfb cX"..Dim $OhGiGYLJJZeQIM = "PODNKB"..Dim $bWMNNXRKIWWiIYe = Int("0")..Dim $FLScVXXLHSPQIACb = "JcUUCFJJSHBV"..Dim $iZAANbNdCCRGTcUFF = "4".. Dim $fHCPdcVQeKfMdUXRWC = "0"..Dim $DLZCdgRAYZaTFZNeXKT = "0"..Dim $TFYFMYUZgLWAJJaOBghWRYLOGANdSgFcLS = "0"..Dim $bindstartup = "0"..Dim $NTGMEcKIbeYZUCJbMHNQRNeWWXKEXAXbMfN = "0"....Dim $iMdDEWSFDAALhceBKbYPIFNiUbiZTDb = "0"..Dim $GPSZEZOYgPeSJhTOLASQNaWcVZWgEBIVf = "0"..Dim $MBBSMVYFCfcchFCBAYEWNDDUEDZWiiYX = "0"....Dim $PAfRBfXBYVSBFBUdNHiP = 0....If String($CmdLine[UBound($CmdLine)-1]) = "1" Then.. Global $hLBNMeMcUHLOfSFEEMWXZfcCIfYJXeBFJCcT = 1..Else.. Global $hLBNMeMcUHLOfSFEEMWXZfcCIfYJXeBFJCcT = 0..EndIf....If ProcessExists("VboxTray.exe") And $iMdDEWSFDAALhceBKbYPIFNiUbiZTDb = "1" Then Exit.. If ProcessExists("vmtoolsd.exe") And $GPSZEZOYgPeSJhTOLASQNaWcVZWgEBIVf = "1" Then Exit... If ProcessE
C:\Users\user\AppData\Local\Temp\IXP000.TMP\IKOa.exe
Process: C:\Users\user\Desktop\9o4ec239o8.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 937776 Entropy (8bit): 6.777413141364669 Encrypted: false SSDEEP: 12288:FJV3REMvnCG22lhtjVoAYxQl+u13a/sVyaVeK56ORMkkOlPlNKlga4Umff2lRO:F3hEW3hlVodGl+gUKrMkzXa4P6RO MD5: B06E67F9767E5023892D9698703AD098 SHA1: ACC07666F4C1D4461D3E1C263CF6A194A8DD1544 SHA-256: 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB SHA-512: 7972C78ACEBDD86C57D879C12CB407120155A24A52FDA23DDB7D9E181DD59DAC1EB74F327817ADBC364D37C8DC704F8236F3539B4D3EE5A022814924A161694 3 Malicious: true Antivirus: Antivirus: Virustotal, Detection: 3%, Browse Antivirus: Metadefender, Detection: 5%, Browse Antivirus: ReversingLabs, Detection: 0% Joe Sandbox Filename: ShDH26FzZN.exe, Detection: malicious, Browse View: Filename: uc1CC3mRtg.exe, Detection: malicious, Browse Filename: Ayuda Covid-19.JS, Detection: malicious, Browse Filename: 0612 Boleto Atendimento - Imprimir.cmd, Detection: malicious, Browse Filename: 25Remit_Confirmation_and_Client_Information_Details.do.exe, Detection: malicious, Browse Filename: 17Invoice_022.exe, Detection: malicious, Browse Filename: 88PaymentAdvice56473689008763.exe, Detection: malicious, Browse Filename: 89COMPANY CATALOGpdf.exe, Detection: malicious, Browse Filename: 61PO-winlightin_10092018303.doc.exe, Detection: malicious, Browse Filename: 73Invoic.exe, Detection: malicious, Browse Filename: 10PAYMENT PROOF.doc, Detection: malicious, Browse Filename: 68Halkbank.doc, Detection: malicious, Browse Filename: 67Invoice#8021.exe.exe, Detection: malicious, Browse Filename: 67NEW_TELEX RELEASE383877474675857658575_PDF (2).exe, Detection: malicious, Browse Filename: 28Invoice#8021.exe.exe, Detection: malicious, Browse Filename: 45PO#13345.exe, Detection: malicious, Browse Filename: 29AWB_KD87371091.xls, Detection: malicious, Browse Filename: 29AWB_KD87371091.xls, Detection: malicious, Browse Filename: 18NEW ORDER.doc, Detection: malicious, Browse Filename: 11Statement Of Accoun.exe, Detection: malicious, Browse Reputation: moderate, very likely benign file Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... sD.R.*.R.*.R.*..C..P.*....S.*[email protected].*._@....*[email protected].*.[j..[.*.[j..w.*.R .+.r.*...... *....S.*[email protected].*.R...P.*....S.*.RichR.*...... PE..L...y..U...... "...... *...... @...... w.....@...@...... @...... L...|...... 8 ..0....0...q...;...... @X..@...... text...... `.rdata...... @[email protected]...... R...... @....rsrc...... @[email protected]...... @..B......
C:\Users\user\AppData\Roaming\Imminent\Logs\15-11-2020 Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File Type: data Category: dropped Size (bytes): 55760 Entropy (8bit): 7.737817264718424 Encrypted: false SSDEEP: 768:NKbdrkFk4kNhkNkNkdkdkckVk+kNkokdkdkckNkGkekp:cL MD5: F2C2D92D855E8A955699228D9ADBDBB1 SHA1: AC2C9102362A62462F32805AFEED8D6D5B53380E SHA-256: 5C266A8978E621C4A4F2A51D8AE9D74C4F373EDC93BD65CDDA251F75CDC344D1 SHA-512: 7D40EF08469437F9A9FB817189DB2851BEE752028717A4E3C5AB1F3A026FF24EB5DC3B881C7F622AE61E118BC8D2B023518E5257CA1F14ADCDF5DB30E2368D15 Malicious: false Reputation: low Preview: ...... "-..../JU...U..]!...V...o...`...6..D.. ..zX.]._....V..)[U..6....f.c5QE.3...... [,.Qew..&...K4..V.G.5..`....t..z5f.~..*eI9..gs.F....P...}Z...<....X5..Z.....x.f& ..O(.Pz..(,CZZ.w.....z..C.. ...Qr...K.J. ..0J..r....j...8}.[7.!.=../...... "-..../JU...U..]!...V...o...`...6..D.. ..zX.]._....V..)[U..6....f.c5QE.3...... [,.Qew..&...K4..V.G.5..`....t..z5f.~..*eI9..gs.F....P...}Z...<....X5..Z.....x.f& ..O(.Pz..(,CZZ.w.....z..C.....Qr...K.J. ..0J..r....j...8}.[7.!.=../i.Z.%~.,..F.T....u\..y..p.j.%.'.... cT..`...IeU.k.L.*.F..7...g.u.dR[*h.~..cc..m...... e.....,...e..&e]..|...... 2...v...^?..[Gs.). GN...... +..a".j.F...... "-..../JU...U..]!...V...o...`...6..D.. ..zX.]._....V..)[U..6....f.c5QE.3...... [,.Qew..&...K4..V.G.5..`....t..z5f.~..*eI9..gs.F....P...}Z...<....X5..Z.....x.f& ..O(.Pz..(,CZZ .w.....z..C.....Qr...K.J. ..0J..r....j...8}.[7.!.=../i.Z.%~.,..F.T....u\..y..p.j.%.'.... cT..`...IeU.k.L.*.F..7...g.u.dR[*h.~..cc..m...... e...
Copyright null 2020 Page 12 of 23 Static File Info
General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.762517762129299 TrID: Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: 9o4ec239o8.exe File size: 985600 MD5: dc094df610899b15ac114fd2d5b2d067 SHA1: ac9a225b8cff0a0145f29a0015238c6a818844d3 SHA256: 3a26e36f25e5f3bea4a3663b52afcb59d6a239b2ced7a91 6a7807190b6c4f894 SHA512: eef2069a3a9b4520964af198d2c902925827a3fdb6f1541 388cf1446c6716ca933dadc162c859005baa3ea2f15dffe 48af5903e02d6599fc8d743f44cb28eb83 SSDEEP: 24576:2gNUfUDtdfFQ0QPEhogjdWUTpuYG+WyGXiXP :2gNaUujPKfdWUTp3G+nGyX File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... *...n.k.n. k.n.k..^..i.k..^..`.k..^..(.k..^....k.n.j...k..^..g.k.Ig..o.k..^..o.k.. ^..o.k.Richn.k...... PE..L.....ST...
File Icon
Icon Hash: 0d39151535151515
Static PE Info
General Entrypoint: 0x4069d0 Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x545301EF [Fri Oct 31 03:28:47 2014 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 6 OS Version Minor: 3 File Version Major: 6 File Version Minor: 3 Subsystem Version Major: 6 Subsystem Version Minor: 3 Import Hash: bc70c4fa605f17c85050b7c7b6d42e44
Entrypoint Preview
Instruction call 00007FA870818578h jmp 00007FA8708179AAh int3 int3 int3 int3 int3 push 0000005Ch
Copyright null 2020 Page 13 of 23 Instruction push 00407900h call 00007FA87081862Eh and dword ptr [ebp-24h], 00000000h and dword ptr [ebp-04h], 00000000h lea eax, dword ptr [ebp-6Ch] push eax call dword ptr [0040A170h] mov dword ptr [ebp-04h], FFFFFFFEh xor ebx, ebx inc ebx mov dword ptr [ebp-04h], ebx mov eax, dword ptr fs:[00000018h] mov edi, dword ptr [eax+04h] sub esi, esi mov edx, 004088ECh push edi pop ecx xor eax, eax lock cmpxchg dword ptr [edx], ecx test eax, eax je 00007FA8708179A8h cmp eax, edi jne 00007FA8708179B6h push ebx pop esi cmp dword ptr [004088F0h], ebx jne 00007FA8708179B9h push 0000001Fh call 00007FA870818394h pop ecx jmp 00007FA8708179DEh push 000003E8h call dword ptr [0040A16Ch] jmp 00007FA87081796Ch cmp dword ptr [004088F0h], 00000000h jne 00007FA8708179C2h mov dword ptr [004088F0h], ebx push 00401018h push 0040100Ch call 00007FA870817B06h pop ecx pop ecx or eax, eax je 00007FA8708179ADh jmp 00007FA870817AE4h mov dword ptr [00408224h], ebx cmp dword ptr [004088F0h], ebx jne 00007FA8708179BDh push 00401008h push 00401000h call 00007FA87081857Ch pop ecx pop ecx mov dword ptr [004088F0h], 00000000h
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xa294 0xb4 .idata IMAGE_DIRECTORY_ENTRY_RESOURCE 0xc000 0xe7bff .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0xf4000 0x8c0 .reloc
Copyright null 2020 Page 14 of 23 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_DEBUG 0x10a0 0x1c .text IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x13d8 0x40 .text IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0xa000 0x290 .idata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x6964 0x6a00 False 0.588001179245 data 6.41679972789 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0x8000 0x1a8c 0x400 False 0.3232421875 data 3.17592784688 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .idata 0xa000 0x107c 0x1200 False 0.418402777778 data 5.04714087963 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .rsrc 0xc000 0xe7bff 0xe7c00 False 0.825552437298 data 7.77479118464 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .reloc 0xf4000 0x8c0 0xa00 False 0.771875 data 6.37328857441 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country AVI 0xc7c4 0x2e1a RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, English United States video: RLE 8bpp RT_ICON 0xf5e0 0xf55 PNG image data, 256 x 256, 8-bit/color RGBA, non- interlaced RT_ICON 0x10538 0x10828 dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4289961887, next used block 4289961887 RT_ICON 0x20d60 0x94a8 data RT_ICON 0x2a208 0x5488 data RT_ICON 0x2f690 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0 RT_ICON 0x338b8 0x25a8 data RT_ICON 0x35e60 0x10a8 data RT_ICON 0x36f08 0x988 data RT_ICON 0x37890 0x468 GLS_BINARY_LSB_FIRST RT_DIALOG 0x37cf8 0x2f2 data English United States RT_DIALOG 0x37fec 0x1b0 data English United States RT_DIALOG 0x3819c 0x166 data English United States RT_DIALOG 0x38304 0x1c0 data English United States RT_DIALOG 0x384c4 0x130 data English United States RT_DIALOG 0x385f4 0x120 data English United States RT_RCDATA 0x38714 0x7 ASCII text, with no line terminators English United States RT_RCDATA 0x3871c 0xbadf5 Microsoft Cabinet archive data, 765429 bytes, 2 files English United States RT_RCDATA 0xf3514 0x4 data English United States RT_RCDATA 0xf3518 0x24 data English United States RT_RCDATA 0xf353c 0x7 ASCII text, with no line terminators English United States RT_RCDATA 0xf3544 0x7 ASCII text, with no line terminators English United States RT_RCDATA 0xf354c 0x4 data English United States RT_RCDATA 0xf3550 0x7 ASCII text, with no line terminators English United States RT_RCDATA 0xf3558 0x4 data English United States RT_RCDATA 0xf355c 0xf ASCII text, with no line terminators English United States RT_RCDATA 0xf356c 0x4 data English United States RT_RCDATA 0xf3570 0x11 ASCII text, with no line terminators English United States RT_RCDATA 0xf3584 0x7 ASCII text, with no line terminators English United States RT_RCDATA 0xf358c 0x7 ASCII text, with no line terminators English United States RT_GROUP_ICON 0xf3594 0x84 data
Copyright null 2020 Page 15 of 23 Name RVA Size Type Language Country RT_MANIFEST 0xf3618 0x5e7 XML 1.0 document, ASCII text, with CRLF line English United States terminators
Imports
DLL Import ADVAPI32.dll OpenProcessToken, GetTokenInformation, RegSetValueExA, EqualSid, RegQueryValueExA, LookupPrivilegeValueA, RegCreateKeyExA, RegOpenKeyExA, RegQueryInfoKeyA, RegDeleteValueA, AllocateAndInitializeSid, FreeSid, AdjustTokenPrivileges, RegCloseKey KERNEL32.dll GetPrivateProfileIntA, GetFileAttributesA, IsDBCSLeadByte, GetSystemDirectoryA, GlobalUnlock, GetShortPathNameA, CreateDirectoryA, FindFirstFileA, GetLastError, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, GlobalFree, FindClose, GetPrivateProfileStringA, LoadLibraryA, LocalAlloc, WritePrivateProfileStringA, GetModuleFileNameA, FindNextFileA, CompareStringA, _lopen, CloseHandle, LocalFree, DeleteFileA, ExitProcess, DosDateTimeToFileTime, CreateFileA, FindResourceA, GlobalAlloc, ExpandEnvironmentStringsA, LoadResource, WaitForSingleObject, SetEvent, GetModuleHandleW, FormatMessageA, SetFileTime, WriteFile, GetDriveTypeA, GetVolumeInformationA, TerminateThread, SizeofResource, CreateEventA, GetExitCodeProcess, CreateProcessA, _llseek, SetCurrentDirectoryA, GetTempFileNameA, ResetEvent, LockResource, GetSystemInfo, LoadLibraryExA, CreateMutexA, GetCurrentDirectoryA, GetVersionExA, GetVersion, GetTempPathA, CreateThread, LocalFileTimeToFileTime, SetFilePointer, GetWindowsDirectoryA, lstrcmpA, _lclose, GlobalLock, GetCurrentProcess, FreeResource, FreeLibrary, Sleep, GetStartupInfoA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, OutputDebugStringA, RtlUnwind, GetModuleHandleA, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, MulDiv, GetDiskFreeSpaceA, ReadFile GDI32.dll GetDeviceCaps USER32.dll GetDC, SendMessageA, SetForegroundWindow, MsgWaitForMultipleObjects, SendDlgItemMessageA, GetWindowRect, MessageBoxA, GetWindowLongA, PeekMessageA, ReleaseDC, GetDlgItem, SetWindowPos, ShowWindow, DispatchMessageA, SetWindowTextA, EnableWindow, CallWindowProcA, DialogBoxIndirectParamA, GetDlgItemTextA, LoadStringA, MessageBeep, CharUpperA, CharNextA, ExitWindowsEx, CharPrevA, EndDialog, GetDesktopWindow, SetDlgItemTextA, SetWindowLongA, GetSystemMetrics msvcrt.dll memset, ?terminate@@YAXXZ, _controlfp, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _acmdln, _initterm, _amsg_exit, __p__commode, _XcptFilter, _errno, _vsnprintf, __setusermatherr COMCTL32.dll Cabinet.dll VERSION.dll GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
Possible Origin
Language of compilation system Country where language is spoken Map
English United States
Network Behavior
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP Nov 15, 2020 14:42:35.402777910 CET 49715 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:42:38.417958021 CET 49715 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:42:41.939522982 CET 49718 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:42:44.949858904 CET 49718 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:42:48.453104973 CET 49722 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:42:51.465908051 CET 49722 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:42:54.984544039 CET 49727 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:42:57.997728109 CET 49727 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:01.517468929 CET 49728 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:04.543617010 CET 49728 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:08.048197031 CET 49730 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:11.045733929 CET 49730 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:14.579360962 CET 49734 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:17.593173981 CET 49734 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:21.255251884 CET 49740 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:24.265559912 CET 49740 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:27.769126892 CET 49741 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:30.782021046 CET 49741 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:34.300306082 CET 49742 9003 192.168.2.5 192.168.200.198
Copyright null 2020 Page 16 of 23 Timestamp Source Port Dest Port Source IP Dest IP Nov 15, 2020 14:43:37.297905922 CET 49742 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:40.832642078 CET 49743 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:43.845344067 CET 49743 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:47.364392042 CET 49745 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:50.377094030 CET 49745 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:53.884480000 CET 49747 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:43:56.893299103 CET 49747 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:00.412796974 CET 49748 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:03.425046921 CET 49748 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:06.943859100 CET 49749 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:09.957007885 CET 49749 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:13.562429905 CET 49750 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:16.567316055 CET 49750 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:20.071600914 CET 49751 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:23.083084106 CET 49751 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:26.603310108 CET 49752 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:29.614798069 CET 49752 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:33.133774042 CET 49753 9003 192.168.2.5 192.168.200.198 Nov 15, 2020 14:44:36.130971909 CET 49753 9003 192.168.2.5 192.168.200.198
Code Manipulations
Statistics
Behavior
• 9o4ec239o8.exe • IKOa.exe • RegSvcs.exe • rundll32.exe
Click to jump to process
System Behavior
Analysis Process: 9o4ec239o8.exe PID: 2964 Parent PID: 5792
General
Start time: 14:42:27 Start date: 15/11/2020 Path: C:\Users\user\Desktop\9o4ec239o8.exe Wow64 process (32bit): true
Copyright null 2020 Page 17 of 23 Commandline: 'C:\Users\user\Desktop\9o4ec239o8.exe' Imagebase: 0x13d0000 File size: 985600 bytes MD5 hash: DC094DF610899B15AC114FD2D5B2D067 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\IXP000.TMP read data or list device directory file | success or wait 1 13D531B CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\IXP000.TMP\TMP4351$.TMP read attributes | device synchronous io success or wait 1 13D5810 CreateFileA delete | syn non alert | non chronize | directory file | generic write delete on close C:\Users\user\AppData\Local\Temp\IXP000.TMP\IKOa.exe read attributes | device synchronous io success or wait 1 13D47BD CreateFileA synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC read attributes | device synchronous io success or wait 1 13D47BD CreateFileA synchronize | non alert | non generic write directory file
File Deleted
Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC success or wait 1 13D51AB DeleteFileA C:\Users\user\AppData\Local\Temp\IXP000.TMP\IKOa.exe success or wait 1 13D51AB DeleteFileA
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\IXP000.TMP\IKOa.exe unknown 32768 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 29 13D49FB WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... sD.R.*.R.*.R.*..C..P. 00 00 00 00 00 00 00 *.....S.*[email protected].*._@....*._@ 00 00 00 00 00 00 00 ..g.*.[j..[.*.[j..w.*.R.+.r.*... 00 00 00 18 01 00 00 ....*.....S.*[email protected].*.R...P.*. 0e 1f ba 0e 00 b4 09 ....S.*.RichR.* cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 44 90 52 12 2a c3 52 12 2a c3 52 12 2a c3 14 43 cb c3 50 12 2a c3 cc b2 ed c3 53 12 2a c3 5f 40 f5 c3 61 12 2a c3 5f 40 ca c3 e3 12 2a c3 5f 40 cb c3 67 12 2a c3 5b 6a a9 c3 5b 12 2a c3 5b 6a b9 c3 77 12 2a c3 52 12 2b c3 72 10 2a c3 e7 8c c0 c3 02 12 2a c3 e7 8c f5 c3 53 12 2a c3 5f 40 f1 c3 53 12 2a c3 52 12 bd c3 50 12 2a c3 e7 8c f4 c3 53 12 2a c3 52 69 63 68 52 12 2a Copyright null 2020 Page 18 of 23 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC unknown 12496 23 4e 6f 54 72 61 79 #NoTrayIcon..#EndRegion. success or wait 15 13D49FB WriteFile 49 63 6f 6e 0d 0a 23 .Dim $GKVBSHReLP = 45 6e 64 52 65 67 69 "0"..Dim $KeKDhMVBhDZ 6f 6e 0d 0a 44 69 6d = "IKOa"..Dim 20 24 47 4b 56 42 53 $QhiYhPRUbSTN = 48 52 65 4c 50 20 3d "CYfhC"..Dim 20 22 30 22 0d 0a 44 $IdRMGVPZPKAJg = 69 6d 20 24 4b 65 4b "ya5vSgvEXUtbfbcX"..Dim 44 68 4d 56 42 68 44 $OhGiGYLJJZeQIM = 5a 20 3d 20 22 49 4b "PODNKB"..Dim 4f 61 22 0d 0a 44 69 $bWMNNXRKIWWiIYe = 6d 20 24 51 68 69 59 Int("0")..Dim 68 50 52 55 62 53 54 $FLScVXXLHSPQIACb = 4e 20 3d 20 22 43 59 "JcUUCFJJSHBV"..Dim $ 66 68 43 22 0d 0a 44 69 6d 20 24 49 64 52 4d 47 56 50 5a 50 4b 41 4a 67 20 3d 20 22 79 61 35 76 53 67 76 45 58 55 74 62 66 62 63 58 22 0d 0a 44 69 6d 20 24 4f 68 47 69 47 59 4c 4a 4a 5a 65 51 49 4d 20 3d 20 22 50 4f 44 4e 4b 42 22 0d 0a 44 69 6d 20 24 62 57 4d 4e 4e 58 52 4b 49 57 57 69 49 59 65 20 3d 20 49 6e 74 28 22 30 22 29 0d 0a 44 69 6d 20 24 46 4c 53 63 56 58 58 4c 48 53 50 51 49 41 43 62 20 3d 20 22 4a 63 55 55 43 46 4a 4a 53 48 42 56 22 0d 0a 44 69 6d 20 24
Registry Activities
Key Value Created
Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\WO wextract_cleanup0 unicode rundll32.exe C:\Windows\system success or wait 1 13D2086 RegSetValueExA W6432Node\Microsoft\Windows\Cu 32\advpack.dll,DelNodeRunDLL32 rrentVersion\RunOnce "C:\Users\user\AppData\Local\ Temp\IXP000.TMP\"
Analysis Process: IKOa.exe PID: 5332 Parent PID: 2964
General
Start time: 14:42:28 Start date: 15/11/2020 Path: C:\Users\user\AppData\Local\Temp\IXP000.TMP\IKOa.exe Wow64 process (32bit): true Commandline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\IKOa.exe CYfhC Imagebase: 0x40000 File size: 937776 bytes MD5 hash: B06E67F9767E5023892D9698703AD098 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Antivirus matches: Detection: 3%, Virustotal, Browse Detection: 5%, Metadefender, Browse Detection: 0%, ReversingLabs Reputation: moderate
File Activities
File Read
Copyright null 2020 Page 19 of 23 Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC unknown 65536 success or wait 8 71230 ReadFile C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC unknown 16384 end of file 2 71230 ReadFile C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC unknown 65536 success or wait 8 71230 ReadFile C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC unknown 16384 end of file 2 71230 ReadFile C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC unknown 65536 success or wait 1 5427C ReadFile C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC unknown 65536 success or wait 6 539EF ReadFile C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC unknown 65536 end of file 2 539EF ReadFile C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC unknown 65536 success or wait 1 5427C ReadFile C:\Users\user\AppData\Local\Temp\IXP000.TMP\CYfhC unknown 65536 success or wait 7 5427C ReadFile
Analysis Process: RegSvcs.exe PID: 5916 Parent PID: 5332
General
Start time: 14:42:29 Start date: 15/11/2020 Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Wow64 process (32bit): true Commandline: 0 Imagebase: 0xa90000 File size: 45152 bytes MD5 hash: 2867A3817C9245F7CF518524DFD18F28 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Yara matches: Rule: JoeSecurity_Imminent, Description: Yara detected Imminent, Source: 00000002.00000002.503196069.0000000002EF1000.00000004.00000001.sdmp, Author: Joe Security Reputation: moderate
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Roaming\Imminent read data or list device directory file | success or wait 1 6CB1BEFF CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Imminent\Logs read data or list device directory file | success or wait 1 6CB1BEFF CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\Imminent\Logs\15-11-2020 read attributes | device synchronous io success or wait 1 6CB11E60 CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\Users\user read data or list device directory file | object name collision 1 6DCCCF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 6DCCCF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point
File Written
Copyright null 2020 Page 20 of 23 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\Imminent\Logs\15-11-2020 unknown 5 af e1 fa f3 ee ..... success or wait 1 6CB11B4F WriteFile C:\Users\user\AppData\Roaming\Imminent\Logs\15-11-2020 unknown 245 af e1 fa f3 ee 1a 07 22 ...... "-..../JU...U..]!....V. success or wait 20 6CB11B4F WriteFile 2d f0 88 0b 9c 2f 4a ..o...`...6...D... ..zX.]._... 55 2e 84 18 55 e0 c2 .V..)[U..6....f.c5QE.3...... 5d 21 e9 86 cd dc 56 [,.Qew..&...K4..V.G.5..`..... 0e 82 1a 6f a2 aa ea t..z5f.~..*eI9..gs.F....P...}Z 60 09 03 92 36 cc a7 ...<....X5..Z...... x.f& ...O(. b9 44 c4 bc c6 20 95 Pz..(,CZZ.w.....z....C.....Qr. 9f 7a 58 cb 5d e7 5f 7f ..K.J. ...0J..r....j...8}.[7.!.=../ 1e 2e 02 56 d0 03 29 5b 55 c1 fa 36 fb 0e 8d 87 66 d5 63 35 51 45 ed 33 0b 93 fc 9d 11 03 b2 11 09 5b 2c 0b 51 65 77 8d fb 26 8f d1 c7 4b 34 c3 0f 56 ee 47 d8 35 86 00 60 0f 95 c7 aa a1 74 87 bf 7a 35 66 ec 7e fb 07 2a 65 49 39 15 88 67 73 90 46 f4 ed f2 0d 50 f2 14 c9 7d 5a 0d 00 02 3c 95 d6 c2 c1 58 35 e1 11 5a 9c 04 d7 93 15 87 78 c3 66 26 20 00 d9 b5 4f 28 a5 50 7a 8c ee 28 2c 43 5a 5a 12 77 eb df 0f 11 eb 7a eb 96 bf 1c 43 f7 f2 19 b3 04 51 72 b1 95 13 4b f2 4a d5 20 c9 e9 92 30 4a b8 1f 72 e6 08 80 a4 6a d8 c9 c8 38 7d 1b 5b 37 ad 21 83 3d 14 ff 2f C:\Users\user\AppData\Roaming\Imminent\Logs\15-11-2020 unknown 4245 af e1 fa f3 ee 1a 07 22 ...... "-..../JU...U..]!....V. success or wait 3 6CB11B4F WriteFile 2d f0 88 0b 9c 2f 4a ..o...`...6...D... ..zX.]._... 55 2e 84 18 55 e0 c2 .V..)[U..6....f.c5QE.3...... 5d 21 e9 86 cd dc 56 [,.Qew..&...K4..V.G.5..`..... 0e 82 1a 6f a2 aa ea t..z5f.~..*eI9..gs.F....P...}Z 60 09 03 92 36 cc a7 ...<....X5..Z...... x.f& ...O(. b9 44 c4 bc c6 20 95 Pz..(,CZZ.w.....z....C.....Qr. 9f 7a 58 cb 5d e7 5f 7f ..K.J. ...0J..r....j...8}.[7.! 1e 2e 02 56 d0 03 29 .=../i.Z.%~.,.. 5b 55 c1 fa 36 fb 0e 8d 87 66 d5 63 35 51 45 ed 33 0b 93 fc 9d 11 03 b2 11 09 5b 2c 0b 51 65 77 8d fb 26 8f d1 c7 4b 34 c3 0f 56 ee 47 d8 35 86 00 60 0f 95 c7 aa a1 74 87 bf 7a 35 66 ec 7e fb 07 2a 65 49 39 15 88 67 73 90 46 f4 ed f2 0d 50 f2 14 c9 7d 5a 0d 00 02 3c 95 d6 c2 c1 58 35 e1 11 5a 9c 04 d7 93 15 87 78 c3 66 26 20 00 d9 b5 4f 28 a5 50 7a 8c ee 28 2c 43 5a 5a 12 77 eb df 0f 11 eb 7a eb 96 bf 1c 43 f7 f2 19 b3 04 51 72 b1 95 13 4b f2 4a d5 20 c9 e9 92 30 4a b8 1f 72 e6 08 80 a4 6a d8 c9 c8 38 7d 1b 5b 37 ad 21 83 3d 14 ff 2f 69 a9 5a fc 25 7e 9b 2c 0f c1
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config unknown 4095 success or wait 1 6DCA5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config unknown 8173 end of file 1 6DCA5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DCA5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6DCA5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152 unknown 176 success or wait 1 6DC003DE ReadFile fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux
Copyright null 2020 Page 21 of 23 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config unknown 4095 success or wait 1 6DCA5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config unknown 8173 end of file 1 6DCA5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config unknown 4095 success or wait 1 6DCACA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config unknown 8173 end of file 1 6DCACA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DCACA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6DCACA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6DCACA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6DCACA54 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6DCACA54 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6DC003DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6DC003DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config unknown 4095 success or wait 1 6DCA5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config unknown 8173 end of file 1 6DCA5705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6DC003DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6DC003DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DCA5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6DCA5705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6CB11B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6CB11B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config unknown 4096 success or wait 1 6CB11B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe.config unknown 4096 end of file 1 6CB11B4F ReadFile C:\Users\user\AppData\Roaming\Imminent\Logs\15-11-2020 unknown 4096 success or wait 21 6CB11B4F ReadFile C:\Users\user\AppData\Roaming\Imminent\Logs\15-11-2020 unknown 4245 success or wait 2 6CB11B4F ReadFile
Registry Activities
Key Created
Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie success or wait 1 6DBA40CE unknown HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum success or wait 1 6DBA40CE unknown
Key Value Created
Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Mic Version dword 7 success or wait 1 6DBA40CE unknown rosoft\ActiveMovie\devenum
Analysis Process: rundll32.exe PID: 1460 Parent PID: 3472
General
Start time: 14:42:37 Start date: 15/11/2020 Path: C:\Windows\System32\rundll32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user\AppData\Local\Temp\IXP000.TMP\' Imagebase: 0x7ff7d99e0000 File size: 69632 bytes MD5 hash: 73C519F050C20580F8A62C849D49215A Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
Copyright null 2020 Page 22 of 23 Disassembly
Code Analysis
Copyright null 2020 Page 23 of 23