MALICIOUS Threat Names:

DYNAMIC ANALYSIS REPORT #1192055

Classifications: Spyware

MALICIOUS Threat Names: -

Verdict Reason: -

Sample Type Windows Exe (x86-32)

Sample Name day.exe

ID #392540

MD5 ed2074f92b6b66a0679cb47d94308c16

SHA1 5b50ce89380b618206e3bd4fc6ea96924657c3f8

SHA256 6ea1db252f87c50be810c36e4bd97c56e15a1aa8744de8855591ccaf48afa72f

File Size 1033.50 KB

Report Created 2021-04-21 22:57 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 20 DYNAMIC ANALYSIS REPORT #1192055

OVERVIEW

VMRay Threat Identifiers (19 rules, 63 matches)

Score Category Operation Count Classification

5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware

• Tries to read sensitive data of: WinSCP, FileZilla, Opera Mail, Microsoft Outlook, Internet Explorer, Opera, TigerVNC, Ipswitch WS_FTP, Internet Download Manager, BlackHawk, Postbox, Mozilla Thunderbird, Mozilla Firefox, The Bat!, TightVNC, CoreFTP, FTP Navigator, Comodo IceDragon, SeaMonkey, k-Meleon, Flock, Cyberfox, IncrediMail, Pocomail.

2/5 Anti Analysis Tries to detect debugger 1 -

• (Process #1) day.exe tries to detect a debugger via API "IsDebuggerPresent".

2/5 Data Collection Reads sensitive browser data 8 -

• (Process #2) day.exe tries to read sensitive data of web browser "Opera" by file.

• (Process #2) day.exe tries to read sensitive data of web browser "BlackHawk" by file.

• (Process #2) day.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.

• (Process #2) day.exe tries to read sensitive data of web browser "Comodo IceDragon" by file.

• (Process #2) day.exe tries to read sensitive data of web browser "Flock" by file.

• (Process #2) day.exe tries to read sensitive data of web browser "Cyberfox" by file.

• (Process #2) day.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.

• (Process #2) day.exe tries to read sensitive data of web browser "k-Meleon" by file.

2/5 Data Collection Reads sensitive mail data 7 -

• (Process #2) day.exe tries to read sensitive data of mail application "IncrediMail" by registry.

• (Process #2) day.exe tries to read sensitive data of mail application "Postbox" by file.

• (Process #2) day.exe tries to read sensitive data of mail application "Pocomail" by file.

• (Process #2) day.exe tries to read sensitive data of mail application "Opera Mail" by file.

• (Process #2) day.exe tries to read sensitive data of mail application "The Bat!" by file.

• (Process #2) day.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.

• (Process #2) day.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file.

2/5 Data Collection Reads sensitive application data 5 -

• (Process #2) day.exe tries to read sensitive data of application "TightVNC" by registry.

• (Process #2) day.exe tries to read sensitive data of application "TigerVNC" by registry.

• (Process #2) day.exe tries to read sensitive data of application "WinSCP" by registry.

• (Process #2) day.exe tries to read sensitive data of application "SeaMonkey" by file.

• (Process #2) day.exe tries to read sensitive data of application "Internet Download Manager" by registry.

2/5 Data Collection Reads sensitive ftp data 5 -

• (Process #2) day.exe tries to read sensitive data of ftp application "FTP Navigator" by file.

• (Process #2) day.exe tries to read sensitive data of ftp application "FileZilla" by file.

• (Process #2) day.exe tries to read sensitive data of ftp application "CoreFTP" by file.

• (Process #2) day.exe tries to read sensitive data of ftp application "CoreFTP" by registry.

• (Process #2) day.exe tries to read sensitive data of ftp application "Ipswitch WS_FTP" by file.

2/5 Discovery Queries OS version via WMI 1 -

• (Process #2) day.exe queries OS version via WMI.

2/5 Discovery Executes WMI query 2 -

X-Ray Vision for Malware - www.vmray.com 2 / 20 DYNAMIC ANALYSIS REPORT #1192055

• (Process #2) day.exe executes WMI query: select * from Win32_OperatingSystem.

• (Process #2) day.exe executes WMI query: SELECT * FROM Win32_Processor.

2/5 Discovery Collects hardware properties 1 -

• (Process #2) day.exe queries hardware properties via WMI.

2/5 Injection Writes into the memory of a process running from a created or modified executable 1 -

• (Process #1) day.exe modifies memory of (process #2) day.exe.

2/5 Injection Modifies control flow of a process running from a created or modified executable 1 -

• (Process #1) day.exe alters context of (process #2) day.exe.

1/5 Privilege Escalation Enables process privilege 2 -

• (Process #1) day.exe enables process privilege "SeDebugPrivilege".

• (Process #2) day.exe enables process privilege "SeDebugPrivilege".

1/5 Discovery Enumerates running processes 1 -

• (Process #1) day.exe enumerates running processes.

1/5 Hide Tracks Creates process with hidden window 1 -

• (Process #1) day.exe starts (process #1) day.exe with a hidden window.

1/5 Obfuscation Reads from memory of another process 1 -

• (Process #1) day.exe reads from (process #1) day.exe.

1/5 Obfuscation Creates a page with write and execute permissions 1 -

• (Process #1) day.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

1/5 Discovery Possibly does reconnaissance 22 -

• (Process #2) day.exe tries to gather information about application "Postbox" by file.

• (Process #2) day.exe tries to gather information about application "blackHawk" by file.

• (Process #2) day.exe tries to gather information about application "RealVNC" by registry.

• (Process #2) day.exe tries to gather information about application "TightVNC" by registry.

• (Process #2) day.exe tries to gather information about application "TigerVNC" by registry.

• (Process #2) day.exe tries to gather information about application "Pocomail" by file.

• (Process #2) day.exe tries to gather information about application "WinSCP" by registry.

• (Process #2) day.exe tries to gather information about application "Foxmail" by registry.

• (Process #2) day.exe tries to gather information about application "Qualcomm Eudora" by registry.

• (Process #2) day.exe tries to gather information about application "Comodo IceDragon" by file.

• (Process #2) day.exe tries to gather information about application "Flock" by file.

• (Process #2) day.exe tries to gather information about application "SeaMonkey" by file.

• (Process #2) day.exe tries to gather information about application "Opera Mail" by file.

• (Process #2) day.exe tries to gather information about application "FTP Navigator" by file.

• (Process #2) day.exe tries to gather information about application "Cyberfox" by file.

• (Process #2) day.exe tries to gather information about application "FileZilla" by file.

• (Process #2) day.exe tries to gather information about application "CoreFTP" by file.

• (Process #2) day.exe tries to gather information about application "The Bat!" by file.

• (Process #2) day.exe tries to gather information about application "icecat" by file.

• (Process #2) day.exe tries to gather information about application "Mozilla Firefox" by file.

• (Process #2) day.exe tries to gather information about application "WS_FTP" by file.

• (Process #2) day.exe tries to gather information about application "k-Meleon" by file.

X-Ray Vision for Malware - www.vmray.com 3 / 20 DYNAMIC ANALYSIS REPORT #1192055

1/5 Obfuscation Resolves API functions dynamically 1 -

• (Process #2) day.exe resolves 50 API functions by name.

1/5 Execution Executes itself 1 -

• (Process #1) day.exe executes a copy of the sample at c:\users\rdhj0cnfevzx\desktop\day.exe.

X-Ray Vision for Malware - www.vmray.com 4 / 20 DYNAMIC ANALYSIS REPORT #1192055

Mitre ATT&CK Matrix

Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control

#T1057 ------Process - - - - - Discovery

#T1143 - - - - Hidden ------Window

#T1045 - - - - Software ------Packing

#T1119 ------Automated - - - Collection

#T1081 - - - - - Credentials ------in Files

#T1083 File and ------Directory Discovery

#T1005 Data ------from Local - - - System

#T1214 - - - - - Credentials ------in Registry

#T1012 ------Query - - - - - Registry

#T1003 - - - - - Credential ------Dumping

#T1047 Windows - Management ------Instrumentati on

#T1082 System ------Information Discovery

X-Ray Vision for Malware - www.vmray.com 5 / 20 DYNAMIC ANALYSIS REPORT #1192055

Sample Information

ID 1192055

MD5 ed2074f92b6b66a0679cb47d94308c16

SHA1 5b50ce89380b618206e3bd4fc6ea96924657c3f8

SHA256 6ea1db252f87c50be810c36e4bd97c56e15a1aa8744de8855591ccaf48afa72f

SSDeep 24576:TU7CI8+QipsxB26pZ0yw1ejJXUr9QnaFo3yRRRRR2C:TqPHu+MjJXuQaF6yRRRRR2C

ImpHash f34d5f2d4577ed6d9ceec516c1f5a744

Filename day.exe

File Size 1033.50 KB

Sample Type Windows Exe (x86-32)

Has Macros

Analysis Information

Creation Time 2021-04-21 22:57 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 2

Execution Successfull False

Reputation Analysis Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 0

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

X-Ray Vision for Malware - www.vmray.com 6 / 20 DYNAMIC ANALYSIS REPORT #1192055

X-Ray Vision for Malware - www.vmray.com 7 / 20 DYNAMIC ANALYSIS REPORT #1192055

NETWORK

General

0 bytes total sent

0 bytes total received

0 ports

0 contacted IP addresses

0 URLs extracted

0 files downloaded

0 malicious hosts detected

DNS

0 DNS requests for 0 domains

0 nameservers contacted

0 total requests returned errors

HTTP/S

0 URLs contacted, 0 servers

0 sessions, 0 bytes sent, 0 bytes recivied

DNS Requests

-

HTTP Requests

-

X-Ray Vision for Malware - www.vmray.com 8 / 20 DYNAMIC ANALYSIS REPORT #1192055

BEHAVIOR

Process Graph

Modify Memory #1 Modify Control Flow #2 Sample Start day.exe Child Process day.exe

X-Ray Vision for Malware - www.vmray.com 9 / 20 DYNAMIC ANALYSIS REPORT #1192055

Process #1: day.exe

ID 1

Filename c:\users\rdhj0cnfevzx\desktop\day.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\day.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 52977, Reason: Analysis Target

Unmonitor End Time End Time: 180722, Reason: Terminated

Monitor Duration 127.75s

Return Code 0

PID 2992

Parent PID 2104

Bitness 32 Bit

Host Behavior

Type Count

Module 30

System 1

Window 4

Registry 3

File 1

Environment 2

User 1

Process 3

- 2

- 3

- 7

X-Ray Vision for Malware - www.vmray.com 10 / 20 DYNAMIC ANALYSIS REPORT #1192055

Process #2: day.exe

ID 2

Filename c:\users\rdhj0cnfevzx\desktop\day.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\day.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 179034, Reason: Child Process

Unmonitor End Time End Time: 293077, Reason: Terminated by Timeout

Monitor Duration 114.04s

Return Code Unknown

PID 3216

Parent PID 2992

Bitness 32 Bit

Injection Information (6)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xe24 0x400000(4194304) 0x200 1 ktop\day.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xe24 0x402000(4202496) 0x35800 1 ktop\day.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xe24 0x438000(4423680) 0x600 1 ktop\day.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xe24 0x43a000(4431872) 0x200 1 ktop\day.exe

#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xe24 0x285008(2641928) 0x4 1 ktop\day.exe

#1: c: Modify Control Flow \users\rdhj0cnfevzx\des 0xe24 / 0x958 - 1 ktop\day.exe

Host Behavior

Type Count

Module 59

Window 3

System 24

Registry 99

User 4

- 25

File 105

COM 47

Environment 26

- 3

X-Ray Vision for Malware - www.vmray.com 11 / 20 DYNAMIC ANALYSIS REPORT #1192055

ARTIFACTS

File

SHA256 Filenames Category Filesize MIME Type Operations Verdict

6ea1db252f87c50be810 C: application/ c36e4bd97c56e15a1aa \Users\RDhJ0CNFevzX\ Sample File 1033.50 KB vnd.microsoft.portable- MALICIOUS 8744de8855591ccaf48a Desktop\day.exe executable fa72f

Filename

Filename Category Operations Verdict

C: \Users\RDhJ0CNFevzX\Desktop\day.exe.con Accessed File Access CLEAN fig

C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access, Read CLEAN 319\Config\machine.config

C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\config\machine.config

C: \Users\RDhJ0CNFevzX\AppData\Local\7Star\ Accessed File Access CLEAN 7Star\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Coow Accessed File Access CLEAN on\Coowon\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Sputn Accessed File Access CLEAN ik\Sputnik\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\CocC Accessed File Access CLEAN oc\Browser\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\QIP Accessed File Access CLEAN Surf\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\uCoz Accessed File Access CLEAN Media\Uran\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Catali Accessed File Access CLEAN naGroup\Citrio\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Iridiu Accessed File Access CLEAN m\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Vival Accessed File Access CLEAN di\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Amig Accessed File Access CLEAN o\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Torch Accessed File Access CLEAN \User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Chro Accessed File Access CLEAN mium\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Brave Accessed File Access CLEAN Software\Brave-Browser\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Yand Accessed File Access CLEAN ex\YandexBrowser\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Ched Accessed File Access CLEAN ot\User Data

X-Ray Vision for Malware - www.vmray.com 12 / 20 DYNAMIC ANALYSIS REPORT #1192055

Filename Category Operations Verdict

C: \Users\RDhJ0CNFevzX\AppData\Local\Epic Accessed File Access CLEAN Privacy Browser\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Mapl Accessed File Access CLEAN eStudio\ChromePlus\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Orbit Accessed File Access CLEAN um\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Fenrir Accessed File Access CLEAN Inc\Sleipnir5\setting\modules\ChromiumView er

C: \Users\RDhJ0CNFevzX\AppData\Local\360C Accessed File Access CLEAN hrome\Chrome\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Elem Accessed File Access CLEAN ents Browser\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Como Accessed File Access CLEAN do\Dragon\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Cent Accessed File Access CLEAN Browser\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Kome Accessed File Access CLEAN ta\User Data

C: \Users\RDhJ0CNFevzX\AppData\Roaming\O Accessed File Access CLEAN pera Software\Opera Stable

C: \Users\RDhJ0CNFevzX\AppData\Local\liebao Accessed File Access CLEAN \User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Tence Accessed File Access CLEAN nt\QQBrowser\User Data

C: \Users\RDhJ0CNFevzX\AppData\Local\Tence Accessed File Access CLEAN nt\QQBrowser\User Data\Default\EncryptedStorage

C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN oonchild Productions\Pale Moon\profiles.ini

C: \Users\RDhJ0CNFevzX\AppData\Roaming\Tr Accessed File Access CLEAN illian\users\global\accounts.dat

C: \Users\RDhJ0CNFevzX\AppData\Roaming\P Accessed File Access CLEAN ostbox\profiles.ini

C: \Users\RDhJ0CNFevzX\AppData\Roaming\N Accessed File Access CLEAN ETGATE Technologies\BlackHawk\profiles.ini

C:\Program Files (x86)\uvnc Accessed File Access CLEAN bvba\UltraVNC\ultravnc.ini

C:\Program Files (x86)\UltraVNC\ultravnc.ini Accessed File Access CLEAN

C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Access CLEAN soft\Edge\User Data

C:\Program Files Accessed File Access CLEAN (x86)\jDownloader\config\database.script

C: \Users\RDhJ0CNFevzX\AppData\Roaming\P Accessed File Access CLEAN ocomail\accounts.ini

X-Ray Vision for Malware - www.vmray.com 13 / 20 DYNAMIC ANALYSIS REPORT #1192055

Filename Category Operations Verdict

C:\Program Files (x86)\Common Files\Apple\Apple Application Accessed File Access CLEAN Support\plutil.exe

C: \Users\RDhJ0CNFevzX\AppData\Local\Mailbi Accessed File Access CLEAN rd\Store\Store.db

C:\Storage\ Accessed File Access CLEAN

C:\mail\ Accessed File Access CLEAN

C: \Users\RDhJ0CNFevzX\AppData\Local\Virtua Accessed File Access CLEAN lStore\Program Files\Foxmail\mail\

C: \Users\RDhJ0CNFevzX\AppData\Local\Virtua Accessed File Access CLEAN lStore\Program Files (x86)\Foxmail\mail\

C: \Users\RDhJ0CNFevzX\AppData\Roaming\C Accessed File Access CLEAN omodo\IceDragon\profiles.ini

C: \Users\RDhJ0CNFevzX\AppData\Roaming\Fl Accessed File Access CLEAN ock\Browser\profiles.ini

C:\cftp\Ftplist.txt Accessed File Access CLEAN

C:\Program Files\Private Internet Access\data Accessed File Access CLEAN

C:\Private Internet Access\data Accessed File Access CLEAN

C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN ozilla\SeaMonkey\profiles.ini

C: \Users\RDhJ0CNFevzX\AppData\Local\Googl Accessed File Access CLEAN e\Chrome\User Data\

C: \Users\RDhJ0CNFevzX\AppData\Roaming\O Accessed File Access CLEAN pera Mail\Opera Mail\wand.dat

C:\FTP Navigator\Ftplist.txt Accessed File Access CLEAN

C: \Users\RDhJ0CNFevzX\AppData\Local\falkon Accessed File Access CLEAN \profiles\profiles.ini

C: \Users\RDhJ0CNFevzX\AppData\Roaming\8 Accessed File Access CLEAN pecxstudios\Cyberfox\profiles.ini

C: \Users\RDhJ0CNFevzX\AppData\Roaming\e Accessed File Access CLEAN M Client

C: \Users\RDhJ0CNFevzX\AppData\Roaming\Fil Accessed File Access CLEAN eZilla\recentservers.xml

C: \Users\RDhJ0CNFevzX\AppData\Roaming\C Accessed File Access CLEAN oreFTP\sites.idx

C: \Users\RDhJ0CNFevzX\AppData\Roaming\Cl Accessed File Access CLEAN aws-mail

C: \Users\RDhJ0CNFevzX\AppData\Roaming\Cl Accessed File Access CLEAN aws-mail\clawsrc

C: \Users\RDhJ0CNFevzX\AppData\Roaming\W Accessed File Access CLEAN aterfox\profiles.ini

C: \Users\RDhJ0CNFevzX\AppData\Roaming\T Accessed File Access CLEAN he Bat!

X-Ray Vision for Malware - www.vmray.com 14 / 20 DYNAMIC ANALYSIS REPORT #1192055

Filename Category Operations Verdict

C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN ozilla\icecat\profiles.ini

C: \Users\RDhJ0CNFevzX\AppData\Roaming\F Accessed File Access CLEAN TPGetter\servers.xml

C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN ozilla\Firefox\profiles.ini

C: \Users\RDhJ0CNFevzX\AppData\Roaming\Ip Accessed File Access CLEAN switch\WS_FTP\Sites\ws_ftp.ini

C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.da Accessed File Access CLEAN t

C: \Users\RDhJ0CNFevzX\AppData\Roaming\K- Accessed File Access CLEAN Meleon\profiles.ini

C: \Users\RDhJ0CNFevzX\AppData\Roaming\T Accessed File Access CLEAN hunderbird\profiles.ini

C:\Users\RDhJ0CNFevzX\Desktop\Folder.lst Accessed File Access CLEAN

URL

-

Domain

-

IP

-

Email

-

Email Address

-

Mutex

-

Registry

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\Software\Microsoft access day.exe CLEAN \.NETFramework

HKEY_LOCAL_MACHINE\Software\Microsoft \.NETFramework\DbgJITDebugLaunchSettin access, read day.exe CLEAN g

HKEY_LOCAL_MACHINE\Software\Microsoft access, read day.exe CLEAN \.NETFramework\DbgManagedDebugger

HKEY_PERFORMANCE_DATA access day.exe CLEAN

HKEY_LOCAL_MACHINE\Software\Microsoft access day.exe CLEAN \Windows NT\CurrentVersion

X-Ray Vision for Malware - www.vmray.com 15 / 20 DYNAMIC ANALYSIS REPORT #1192055

Registry Key Operations Parent Process Name Verdict

HKEY_LOCAL_MACHINE\Software\Microsoft access, read day.exe CLEAN \Windows NT\CurrentVersion\InstallationType

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access day.exe CLEAN osoft\.NETFramework\AppContext

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access day.exe CLEAN osoft\.NETFramework\v4.0.30319

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchUseStr access, read day.exe CLEAN ongCrypto

HKEY_LOCAL_MACHINE\Software\Microsoft access day.exe CLEAN \Wbem\Scripting

HKEY_LOCAL_MACHINE\Software\Microsoft access, read day.exe CLEAN \Wbem\Scripting\Default Impersonation Level

HKEY_LOCAL_MACHINE\Software\Microsoft access, read day.exe CLEAN \Wbem\Scripting\Default Namespace

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access day.exe CLEAN Zones\W. Europe Standard Time

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read day.exe CLEAN Zones\W. Europe Standard Time\TZI

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access day.exe CLEAN Zones\W. Europe Standard Time\Dynamic DST

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read day.exe CLEAN Zones\W. Europe Standard Time\MUI_Display

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read day.exe CLEAN Zones\W. Europe Standard Time\MUI_Std

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read day.exe CLEAN Zones\W. Europe Standard Time\MUI_Dlt

HKEY_CURRENT_USER\Software\IncrediM access day.exe CLEAN ail\Identities

HKEY_LOCAL_MACHINE\SOFTWARE\Wow access day.exe CLEAN 6432Node\RealVNC\WinVNC4

HKEY_CURRENT_USER\SOFTWARE\Wow access day.exe CLEAN 6432Node\RealVNC\WinVNC4

HKEY_LOCAL_MACHINE\SOFTWARE\Real access day.exe CLEAN VNC\vncserver

HKEY_CURRENT_USER\SOFTWARE\Real access day.exe CLEAN VNC\vncserver

HKEY_LOCAL_MACHINE\SOFTWARE\Real access day.exe CLEAN VNC\WinVNC4

HKEY_CURRENT_USER\SOFTWARE\Real access day.exe CLEAN VNC\WinVNC4

HKEY_LOCAL_MACHINE\Software\ORL\Win access day.exe CLEAN VNC3

HKEY_CURRENT_USER\Software\ORL\Win access day.exe CLEAN VNC3

HKEY_LOCAL_MACHINE\Software\TightVN access day.exe CLEAN C\Server

HKEY_CURRENT_USER\Software\TightVNC access day.exe CLEAN \Server

HKEY_LOCAL_MACHINE\Software\TigerVN access day.exe CLEAN C\Server

HKEY_CURRENT_USER\Software\TigerVN access day.exe CLEAN C\Server

X-Ray Vision for Malware - www.vmray.com 16 / 20 DYNAMIC ANALYSIS REPORT #1192055

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\SOFTWARE\Marti access day.exe CLEAN n Prikryl\WinSCP 2\Sessions

HKEY_CURRENT_USER\Software\Aerofox\ access day.exe CLEAN FoxmailPreview

HKEY_CURRENT_USER\Software\Aerofox\ access day.exe CLEAN Foxmail\V3.1

HKEY_CURRENT_USER\Software\Qualcom access day.exe CLEAN m\Eudora\CommandLine

HKEY_CURRENT_USER\Software\FTPWare access, read day.exe CLEAN \COREFTP\Sites\Host

HKEY_CURRENT_USER\Software\Microsoft \Office\15.0\Outlook\Profiles\Outlook\9375CF access day.exe CLEAN F0413111d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Windows NT\CurrentVersion\Windows Messaging access day.exe CLEAN Subsystem\Profiles\Outlook\9375CFF041311 1d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Windows Messaging access day.exe CLEAN Subsystem\Profiles\9375CFF0413111d3B88 A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access day.exe CLEAN F0413111d3B88A00104B2A6676

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access day.exe CLEAN F0413111d3B88A00104B2A6676\00000001

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ Email

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000001\I MAP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ POP3 Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ HTTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ SMTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access day.exe CLEAN F0413111d3B88A00104B2A6676\00000002

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ Email

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP Password

X-Ray Vision for Malware - www.vmray.com 17 / 20 DYNAMIC ANALYSIS REPORT #1192055

Registry Key Operations Parent Process Name Verdict

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Server

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access day.exe CLEAN F0413111d3B88A00104B2A6676\00000003

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ Email

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000003\I MAP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ POP3 Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ HTTP Password

HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ SMTP Password

HKEY_CURRENT_USER\Software\Downloa access day.exe CLEAN dManager\Passwords

HKEY_CURRENT_USER\Software\RimArts\ access day.exe CLEAN B2\Settings

HKEY_CURRENT_USER access day.exe CLEAN

HKEY_CURRENT_USER\SOFTWARE\Micro soft\Windows\CurrentVersion\Internet access day.exe CLEAN Settings\Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows\CurrentVersion\Internet access day.exe CLEAN Settings\Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Polici es\Microsoft\Windows\CurrentVersion\Interne access day.exe CLEAN t Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access day.exe CLEAN osoft\.NETFramework

HKEY_LOCAL_MACHINE\SOFTWARE\Micr access, read day.exe CLEAN osoft\.NETFramework\LegacyWPADSupport

Process

Process Name Commandline Verdict

day.exe "C:\Users\RDhJ0CNFevzX\Desktop\day.exe" MALICIOUS

day.exe "C:\Users\RDhJ0CNFevzX\Desktop\day.exe" SUSPICIOUS

X-Ray Vision for Malware - www.vmray.com 18 / 20 DYNAMIC ANALYSIS REPORT #1192055

YARA / AV

No YARA or AV matches available.

X-Ray Vision for Malware - www.vmray.com 19 / 20 DYNAMIC ANALYSIS REPORT #1192055

ENVIRONMENT

Virtual Machine Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Information

Analyzer Version 4.1.1

Dynamic Engine Version 4.1.1 / 02/08/2021 15:19

Static Engine Version 1.6.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)

Built-in AV Database Update 2021-04-21 16:47:27+00:00 Release Date

VTI Ruleset Version 3.8

YARA Built-in Ruleset Version 1.5

Analysis Report Layout Version 10

Software Information

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed

X-Ray Vision for Malware - www.vmray.com 20 / 20