MALICIOUS Threat Names:
DYNAMIC ANALYSIS REPORT #1192055
Classifications: Spyware
MALICIOUS Threat Names: -
Verdict Reason: -
Sample Type Windows Exe (x86-32)
Sample Name day.exe
ID #392540
MD5 ed2074f92b6b66a0679cb47d94308c16
SHA1 5b50ce89380b618206e3bd4fc6ea96924657c3f8
SHA256 6ea1db252f87c50be810c36e4bd97c56e15a1aa8744de8855591ccaf48afa72f
File Size 1033.50 KB
Report Created 2021-04-21 22:57 (UTC+2)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 20 DYNAMIC ANALYSIS REPORT #1192055
OVERVIEW
VMRay Threat Identifiers (19 rules, 63 matches)
Score Category Operation Count Classification
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: WinSCP, FileZilla, Opera Mail, Microsoft Outlook, Internet Explorer, Opera, TigerVNC, Ipswitch WS_FTP, Internet Download Manager, BlackHawk, Postbox, Mozilla Thunderbird, Mozilla Firefox, The Bat!, TightVNC, CoreFTP, FTP Navigator, Comodo IceDragon, SeaMonkey, k-Meleon, Flock, Cyberfox, IncrediMail, Pocomail.
2/5 Anti Analysis Tries to detect debugger 1 -
• (Process #1) day.exe tries to detect a debugger via API "IsDebuggerPresent".
2/5 Data Collection Reads sensitive browser data 8 -
• (Process #2) day.exe tries to read sensitive data of web browser "Opera" by file.
• (Process #2) day.exe tries to read sensitive data of web browser "BlackHawk" by file.
• (Process #2) day.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
• (Process #2) day.exe tries to read sensitive data of web browser "Comodo IceDragon" by file.
• (Process #2) day.exe tries to read sensitive data of web browser "Flock" by file.
• (Process #2) day.exe tries to read sensitive data of web browser "Cyberfox" by file.
• (Process #2) day.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.
• (Process #2) day.exe tries to read sensitive data of web browser "k-Meleon" by file.
2/5 Data Collection Reads sensitive mail data 7 -
• (Process #2) day.exe tries to read sensitive data of mail application "IncrediMail" by registry.
• (Process #2) day.exe tries to read sensitive data of mail application "Postbox" by file.
• (Process #2) day.exe tries to read sensitive data of mail application "Pocomail" by file.
• (Process #2) day.exe tries to read sensitive data of mail application "Opera Mail" by file.
• (Process #2) day.exe tries to read sensitive data of mail application "The Bat!" by file.
• (Process #2) day.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry.
• (Process #2) day.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file.
2/5 Data Collection Reads sensitive application data 5 -
• (Process #2) day.exe tries to read sensitive data of application "TightVNC" by registry.
• (Process #2) day.exe tries to read sensitive data of application "TigerVNC" by registry.
• (Process #2) day.exe tries to read sensitive data of application "WinSCP" by registry.
• (Process #2) day.exe tries to read sensitive data of application "SeaMonkey" by file.
• (Process #2) day.exe tries to read sensitive data of application "Internet Download Manager" by registry.
2/5 Data Collection Reads sensitive ftp data 5 -
• (Process #2) day.exe tries to read sensitive data of ftp application "FTP Navigator" by file.
• (Process #2) day.exe tries to read sensitive data of ftp application "FileZilla" by file.
• (Process #2) day.exe tries to read sensitive data of ftp application "CoreFTP" by file.
• (Process #2) day.exe tries to read sensitive data of ftp application "CoreFTP" by registry.
• (Process #2) day.exe tries to read sensitive data of ftp application "Ipswitch WS_FTP" by file.
2/5 Discovery Queries OS version via WMI 1 -
• (Process #2) day.exe queries OS version via WMI.
2/5 Discovery Executes WMI query 2 -
X-Ray Vision for Malware - www.vmray.com 2 / 20 DYNAMIC ANALYSIS REPORT #1192055
• (Process #2) day.exe executes WMI query: select * from Win32_OperatingSystem.
• (Process #2) day.exe executes WMI query: SELECT * FROM Win32_Processor.
2/5 Discovery Collects hardware properties 1 -
• (Process #2) day.exe queries hardware properties via WMI.
2/5 Injection Writes into the memory of a process running from a created or modified executable 1 -
• (Process #1) day.exe modifies memory of (process #2) day.exe.
2/5 Injection Modifies control flow of a process running from a created or modified executable 1 -
• (Process #1) day.exe alters context of (process #2) day.exe.
1/5 Privilege Escalation Enables process privilege 2 -
• (Process #1) day.exe enables process privilege "SeDebugPrivilege".
• (Process #2) day.exe enables process privilege "SeDebugPrivilege".
1/5 Discovery Enumerates running processes 1 -
• (Process #1) day.exe enumerates running processes.
1/5 Hide Tracks Creates process with hidden window 1 -
• (Process #1) day.exe starts (process #1) day.exe with a hidden window.
1/5 Obfuscation Reads from memory of another process 1 -
• (Process #1) day.exe reads from (process #1) day.exe.
1/5 Obfuscation Creates a page with write and execute permissions 1 -
• (Process #1) day.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
1/5 Discovery Possibly does reconnaissance 22 -
• (Process #2) day.exe tries to gather information about application "Postbox" by file.
• (Process #2) day.exe tries to gather information about application "blackHawk" by file.
• (Process #2) day.exe tries to gather information about application "RealVNC" by registry.
• (Process #2) day.exe tries to gather information about application "TightVNC" by registry.
• (Process #2) day.exe tries to gather information about application "TigerVNC" by registry.
• (Process #2) day.exe tries to gather information about application "Pocomail" by file.
• (Process #2) day.exe tries to gather information about application "WinSCP" by registry.
• (Process #2) day.exe tries to gather information about application "Foxmail" by registry.
• (Process #2) day.exe tries to gather information about application "Qualcomm Eudora" by registry.
• (Process #2) day.exe tries to gather information about application "Comodo IceDragon" by file.
• (Process #2) day.exe tries to gather information about application "Flock" by file.
• (Process #2) day.exe tries to gather information about application "SeaMonkey" by file.
• (Process #2) day.exe tries to gather information about application "Opera Mail" by file.
• (Process #2) day.exe tries to gather information about application "FTP Navigator" by file.
• (Process #2) day.exe tries to gather information about application "Cyberfox" by file.
• (Process #2) day.exe tries to gather information about application "FileZilla" by file.
• (Process #2) day.exe tries to gather information about application "CoreFTP" by file.
• (Process #2) day.exe tries to gather information about application "The Bat!" by file.
• (Process #2) day.exe tries to gather information about application "icecat" by file.
• (Process #2) day.exe tries to gather information about application "Mozilla Firefox" by file.
• (Process #2) day.exe tries to gather information about application "WS_FTP" by file.
• (Process #2) day.exe tries to gather information about application "k-Meleon" by file.
X-Ray Vision for Malware - www.vmray.com 3 / 20 DYNAMIC ANALYSIS REPORT #1192055
1/5 Obfuscation Resolves API functions dynamically 1 -
• (Process #2) day.exe resolves 50 API functions by name.
1/5 Execution Executes itself 1 -
• (Process #1) day.exe executes a copy of the sample at c:\users\rdhj0cnfevzx\desktop\day.exe.
X-Ray Vision for Malware - www.vmray.com 4 / 20 DYNAMIC ANALYSIS REPORT #1192055
Mitre ATT&CK Matrix
Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control
#T1057 ------Process - - - - - Discovery
#T1143 - - - - Hidden ------Window
#T1045 - - - - Software ------Packing
#T1119 ------Automated - - - Collection
#T1081 - - - - - Credentials ------in Files
#T1083 File and ------Directory Discovery
#T1005 Data ------from Local - - - System
#T1214 - - - - - Credentials ------in Registry
#T1012 ------Query - - - - - Registry
#T1003 - - - - - Credential ------Dumping
#T1047 Windows - Management ------Instrumentati on
#T1082 System ------Information Discovery
X-Ray Vision for Malware - www.vmray.com 5 / 20 DYNAMIC ANALYSIS REPORT #1192055
Sample Information
ID 1192055
MD5 ed2074f92b6b66a0679cb47d94308c16
SHA1 5b50ce89380b618206e3bd4fc6ea96924657c3f8
SHA256 6ea1db252f87c50be810c36e4bd97c56e15a1aa8744de8855591ccaf48afa72f
SSDeep 24576:TU7CI8+QipsxB26pZ0yw1ejJXUr9QnaFo3yRRRRR2C:TqPHu+MjJXuQaF6yRRRRR2C
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744
Filename day.exe
File Size 1033.50 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-04-21 22:57 (UTC+2)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 2
Execution Successfull False
Reputation Analysis Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 0
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 0
X-Ray Vision for Malware - www.vmray.com 6 / 20 DYNAMIC ANALYSIS REPORT #1192055
X-Ray Vision for Malware - www.vmray.com 7 / 20 DYNAMIC ANALYSIS REPORT #1192055
NETWORK
General
0 bytes total sent
0 bytes total received
0 ports
0 contacted IP addresses
0 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
0 DNS requests for 0 domains
0 nameservers contacted
0 total requests returned errors
HTTP/S
0 URLs contacted, 0 servers
0 sessions, 0 bytes sent, 0 bytes recivied
DNS Requests
-
HTTP Requests
-
X-Ray Vision for Malware - www.vmray.com 8 / 20 DYNAMIC ANALYSIS REPORT #1192055
BEHAVIOR
Process Graph
Modify Memory #1 Modify Control Flow #2 Sample Start day.exe Child Process day.exe
X-Ray Vision for Malware - www.vmray.com 9 / 20 DYNAMIC ANALYSIS REPORT #1192055
Process #1: day.exe
ID 1
Filename c:\users\rdhj0cnfevzx\desktop\day.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\day.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 52977, Reason: Analysis Target
Unmonitor End Time End Time: 180722, Reason: Terminated
Monitor Duration 127.75s
Return Code 0
PID 2992
Parent PID 2104
Bitness 32 Bit
Host Behavior
Type Count
Module 30
System 1
Window 4
Registry 3
File 1
Environment 2
User 1
Process 3
- 2
- 3
- 7
X-Ray Vision for Malware - www.vmray.com 10 / 20 DYNAMIC ANALYSIS REPORT #1192055
Process #2: day.exe
ID 2
Filename c:\users\rdhj0cnfevzx\desktop\day.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\day.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 179034, Reason: Child Process
Unmonitor End Time End Time: 293077, Reason: Terminated by Timeout
Monitor Duration 114.04s
Return Code Unknown
PID 3216
Parent PID 2992
Bitness 32 Bit
Injection Information (6)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xe24 0x400000(4194304) 0x200 1 ktop\day.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xe24 0x402000(4202496) 0x35800 1 ktop\day.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xe24 0x438000(4423680) 0x600 1 ktop\day.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xe24 0x43a000(4431872) 0x200 1 ktop\day.exe
#1: c: Modify Memory \users\rdhj0cnfevzx\des 0xe24 0x285008(2641928) 0x4 1 ktop\day.exe
#1: c: Modify Control Flow \users\rdhj0cnfevzx\des 0xe24 / 0x958 - 1 ktop\day.exe
Host Behavior
Type Count
Module 59
Window 3
System 24
Registry 99
User 4
- 25
File 105
COM 47
Environment 26
- 3
X-Ray Vision for Malware - www.vmray.com 11 / 20 DYNAMIC ANALYSIS REPORT #1192055
ARTIFACTS
File
SHA256 Filenames Category Filesize MIME Type Operations Verdict
6ea1db252f87c50be810 C: application/ c36e4bd97c56e15a1aa \Users\RDhJ0CNFevzX\ Sample File 1033.50 KB vnd.microsoft.portable- MALICIOUS 8744de8855591ccaf48a Desktop\day.exe executable fa72f
Filename
Filename Category Operations Verdict
C: \Users\RDhJ0CNFevzX\Desktop\day.exe.con Accessed File Access CLEAN fig
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access, Read CLEAN 319\Config\machine.config
C: \Windows\Microsoft.NET\Framework\v4.0.30 Accessed File Access CLEAN 319\config\machine.config
C: \Users\RDhJ0CNFevzX\AppData\Local\7Star\ Accessed File Access CLEAN 7Star\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Coow Accessed File Access CLEAN on\Coowon\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Sputn Accessed File Access CLEAN ik\Sputnik\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\CocC Accessed File Access CLEAN oc\Browser\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\QIP Accessed File Access CLEAN Surf\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\uCoz Accessed File Access CLEAN Media\Uran\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Catali Accessed File Access CLEAN naGroup\Citrio\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Iridiu Accessed File Access CLEAN m\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Vival Accessed File Access CLEAN di\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Amig Accessed File Access CLEAN o\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Torch Accessed File Access CLEAN \User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Chro Accessed File Access CLEAN mium\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Brave Accessed File Access CLEAN Software\Brave-Browser\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Yand Accessed File Access CLEAN ex\YandexBrowser\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Ched Accessed File Access CLEAN ot\User Data
X-Ray Vision for Malware - www.vmray.com 12 / 20 DYNAMIC ANALYSIS REPORT #1192055
Filename Category Operations Verdict
C: \Users\RDhJ0CNFevzX\AppData\Local\Epic Accessed File Access CLEAN Privacy Browser\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Mapl Accessed File Access CLEAN eStudio\ChromePlus\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Orbit Accessed File Access CLEAN um\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Fenrir Accessed File Access CLEAN Inc\Sleipnir5\setting\modules\ChromiumView er
C: \Users\RDhJ0CNFevzX\AppData\Local\360C Accessed File Access CLEAN hrome\Chrome\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Elem Accessed File Access CLEAN ents Browser\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Como Accessed File Access CLEAN do\Dragon\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Cent Accessed File Access CLEAN Browser\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Kome Accessed File Access CLEAN ta\User Data
C: \Users\RDhJ0CNFevzX\AppData\Roaming\O Accessed File Access CLEAN pera Software\Opera Stable
C: \Users\RDhJ0CNFevzX\AppData\Local\liebao Accessed File Access CLEAN \User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Tence Accessed File Access CLEAN nt\QQBrowser\User Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Tence Accessed File Access CLEAN nt\QQBrowser\User Data\Default\EncryptedStorage
C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN oonchild Productions\Pale Moon\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Tr Accessed File Access CLEAN illian\users\global\accounts.dat
C: \Users\RDhJ0CNFevzX\AppData\Roaming\P Accessed File Access CLEAN ostbox\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\N Accessed File Access CLEAN ETGATE Technologies\BlackHawk\profiles.ini
C:\Program Files (x86)\uvnc Accessed File Access CLEAN bvba\UltraVNC\ultravnc.ini
C:\Program Files (x86)\UltraVNC\ultravnc.ini Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Access CLEAN soft\Edge\User Data
C:\Program Files Accessed File Access CLEAN (x86)\jDownloader\config\database.script
C: \Users\RDhJ0CNFevzX\AppData\Roaming\P Accessed File Access CLEAN ocomail\accounts.ini
X-Ray Vision for Malware - www.vmray.com 13 / 20 DYNAMIC ANALYSIS REPORT #1192055
Filename Category Operations Verdict
C:\Program Files (x86)\Common Files\Apple\Apple Application Accessed File Access CLEAN Support\plutil.exe
C: \Users\RDhJ0CNFevzX\AppData\Local\Mailbi Accessed File Access CLEAN rd\Store\Store.db
C:\Storage\ Accessed File Access CLEAN
C:\mail\ Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\Virtua Accessed File Access CLEAN lStore\Program Files\Foxmail\mail\
C: \Users\RDhJ0CNFevzX\AppData\Local\Virtua Accessed File Access CLEAN lStore\Program Files (x86)\Foxmail\mail\
C: \Users\RDhJ0CNFevzX\AppData\Roaming\C Accessed File Access CLEAN omodo\IceDragon\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Fl Accessed File Access CLEAN ock\Browser\profiles.ini
C:\cftp\Ftplist.txt Accessed File Access CLEAN
C:\Program Files\Private Internet Access\data Accessed File Access CLEAN
C:\Private Internet Access\data Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN ozilla\SeaMonkey\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Local\Googl Accessed File Access CLEAN e\Chrome\User Data\
C: \Users\RDhJ0CNFevzX\AppData\Roaming\O Accessed File Access CLEAN pera Mail\Opera Mail\wand.dat
C:\FTP Navigator\Ftplist.txt Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\falkon Accessed File Access CLEAN \profiles\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\8 Accessed File Access CLEAN pecxstudios\Cyberfox\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\e Accessed File Access CLEAN M Client
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Fil Accessed File Access CLEAN eZilla\recentservers.xml
C: \Users\RDhJ0CNFevzX\AppData\Roaming\C Accessed File Access CLEAN oreFTP\sites.idx
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Cl Accessed File Access CLEAN aws-mail
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Cl Accessed File Access CLEAN aws-mail\clawsrc
C: \Users\RDhJ0CNFevzX\AppData\Roaming\W Accessed File Access CLEAN aterfox\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\T Accessed File Access CLEAN he Bat!
X-Ray Vision for Malware - www.vmray.com 14 / 20 DYNAMIC ANALYSIS REPORT #1192055
Filename Category Operations Verdict
C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN ozilla\icecat\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\F Accessed File Access CLEAN TPGetter\servers.xml
C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN ozilla\Firefox\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\Ip Accessed File Access CLEAN switch\WS_FTP\Sites\ws_ftp.ini
C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.da Accessed File Access CLEAN t
C: \Users\RDhJ0CNFevzX\AppData\Roaming\K- Accessed File Access CLEAN Meleon\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\T Accessed File Access CLEAN hunderbird\profiles.ini
C:\Users\RDhJ0CNFevzX\Desktop\Folder.lst Accessed File Access CLEAN
URL
-
Domain
-
IP
-
-
Email Address
-
Mutex
-
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft access day.exe CLEAN \.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft \.NETFramework\DbgJITDebugLaunchSettin access, read day.exe CLEAN g
HKEY_LOCAL_MACHINE\Software\Microsoft access, read day.exe CLEAN \.NETFramework\DbgManagedDebugger
HKEY_PERFORMANCE_DATA access day.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft access day.exe CLEAN \Windows NT\CurrentVersion
X-Ray Vision for Malware - www.vmray.com 15 / 20 DYNAMIC ANALYSIS REPORT #1192055
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft access, read day.exe CLEAN \Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access day.exe CLEAN osoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access day.exe CLEAN osoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchUseStr access, read day.exe CLEAN ongCrypto
HKEY_LOCAL_MACHINE\Software\Microsoft access day.exe CLEAN \Wbem\Scripting
HKEY_LOCAL_MACHINE\Software\Microsoft access, read day.exe CLEAN \Wbem\Scripting\Default Impersonation Level
HKEY_LOCAL_MACHINE\Software\Microsoft access, read day.exe CLEAN \Wbem\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access day.exe CLEAN Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read day.exe CLEAN Zones\W. Europe Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access day.exe CLEAN Zones\W. Europe Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read day.exe CLEAN Zones\W. Europe Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read day.exe CLEAN Zones\W. Europe Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access, read day.exe CLEAN Zones\W. Europe Standard Time\MUI_Dlt
HKEY_CURRENT_USER\Software\IncrediM access day.exe CLEAN ail\Identities
HKEY_LOCAL_MACHINE\SOFTWARE\Wow access day.exe CLEAN 6432Node\RealVNC\WinVNC4
HKEY_CURRENT_USER\SOFTWARE\Wow access day.exe CLEAN 6432Node\RealVNC\WinVNC4
HKEY_LOCAL_MACHINE\SOFTWARE\Real access day.exe CLEAN VNC\vncserver
HKEY_CURRENT_USER\SOFTWARE\Real access day.exe CLEAN VNC\vncserver
HKEY_LOCAL_MACHINE\SOFTWARE\Real access day.exe CLEAN VNC\WinVNC4
HKEY_CURRENT_USER\SOFTWARE\Real access day.exe CLEAN VNC\WinVNC4
HKEY_LOCAL_MACHINE\Software\ORL\Win access day.exe CLEAN VNC3
HKEY_CURRENT_USER\Software\ORL\Win access day.exe CLEAN VNC3
HKEY_LOCAL_MACHINE\Software\TightVN access day.exe CLEAN C\Server
HKEY_CURRENT_USER\Software\TightVNC access day.exe CLEAN \Server
HKEY_LOCAL_MACHINE\Software\TigerVN access day.exe CLEAN C\Server
HKEY_CURRENT_USER\Software\TigerVN access day.exe CLEAN C\Server
X-Ray Vision for Malware - www.vmray.com 16 / 20 DYNAMIC ANALYSIS REPORT #1192055
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\SOFTWARE\Marti access day.exe CLEAN n Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER\Software\Aerofox\ access day.exe CLEAN FoxmailPreview
HKEY_CURRENT_USER\Software\Aerofox\ access day.exe CLEAN Foxmail\V3.1
HKEY_CURRENT_USER\Software\Qualcom access day.exe CLEAN m\Eudora\CommandLine
HKEY_CURRENT_USER\Software\FTPWare access, read day.exe CLEAN \COREFTP\Sites\Host
HKEY_CURRENT_USER\Software\Microsoft \Office\15.0\Outlook\Profiles\Outlook\9375CF access day.exe CLEAN F0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Windows NT\CurrentVersion\Windows Messaging access day.exe CLEAN Subsystem\Profiles\Outlook\9375CFF041311 1d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Windows Messaging access day.exe CLEAN Subsystem\Profiles\9375CFF0413111d3B88 A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access day.exe CLEAN F0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access day.exe CLEAN F0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000001\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000001\ SMTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access day.exe CLEAN F0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ HTTP Password
X-Ray Vision for Malware - www.vmray.com 17 / 20 DYNAMIC ANALYSIS REPORT #1192055
Registry Key Operations Parent Process Name Verdict
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000002\ SMTP Server
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access day.exe CLEAN F0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ Email
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000003\I MAP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ POP3 Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ HTTP Password
HKEY_CURRENT_USER\Software\Microsoft \Office\16.0\Outlook\Profiles\Outlook\9375CF access, read day.exe CLEAN F0413111d3B88A00104B2A6676\00000003\ SMTP Password
HKEY_CURRENT_USER\Software\Downloa access day.exe CLEAN dManager\Passwords
HKEY_CURRENT_USER\Software\RimArts\ access day.exe CLEAN B2\Settings
HKEY_CURRENT_USER access day.exe CLEAN
HKEY_CURRENT_USER\SOFTWARE\Micro soft\Windows\CurrentVersion\Internet access day.exe CLEAN Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows\CurrentVersion\Internet access day.exe CLEAN Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Polici es\Microsoft\Windows\CurrentVersion\Interne access day.exe CLEAN t Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access day.exe CLEAN osoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access, read day.exe CLEAN osoft\.NETFramework\LegacyWPADSupport
Process
Process Name Commandline Verdict
day.exe "C:\Users\RDhJ0CNFevzX\Desktop\day.exe" MALICIOUS
day.exe "C:\Users\RDhJ0CNFevzX\Desktop\day.exe" SUSPICIOUS
X-Ray Vision for Malware - www.vmray.com 18 / 20 DYNAMIC ANALYSIS REPORT #1192055
YARA / AV
No YARA or AV matches available.
X-Ray Vision for Malware - www.vmray.com 19 / 20 DYNAMIC ANALYSIS REPORT #1192055
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.1.1
Dynamic Engine Version 4.1.1 / 02/08/2021 15:19
Static Engine Version 1.6.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)
Built-in AV Database Update 2021-04-21 16:47:27+00:00 Release Date
VTI Ruleset Version 3.8
YARA Built-in Ruleset Version 1.5
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 20 / 20