DYNAMIC ANALYSIS REPORT #1298037 Classifications: Spyware MALICIOUS Threat Names: C2/Generic-A Verdict Reason: - Sample Type Windows Exe (x86-32) Sample Name Kvfwecxf.OR3.exe ID #451118 MD5 aa4ac54f3132c970ded1551ef80872d6 SHA1 1d9bd7dac63323412ef02cba15acfa9632406b3d SHA256 275a1d8d7ae6503b4aac7a8636bcab66e3bfa0bb57215a1e1205107c1e854809 File Size 292.00 KB Report Created 2021-05-03 09:37 (UTC+2) Target Environment win7_64_sp1_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 53 DYNAMIC ANALYSIS REPORT #1298037 OVERVIEW VMRay Threat Identifiers (29 rules, 88 matches) Score Category Operation Count Classification 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: Flock, Mozilla Firefox, Microsoft Outlook, Opera Mail, Opera, Ipswitch WS_FTP, k-Meleon, Internet Explorer, Postbox, TigerVNC, Pocomail, Internet Download Manager, BlackHawk, Cyberfox, IncrediMail, The Bat!, TightVNC, Comodo IceDragon, FileZilla, WinSCP, Internet Explorer / Edge, CoreFTP, OpenVPN, SeaMonkey, Mozilla Thunderbird, FTP Navigator. 4/5 Defense Evasion Tries to disable antivirus software 2 - • (Process #21) sc.exe stops a service related to Windows Defender via ControlService (API). • (Process #2) advancedrun.exe stops a service related to Windows Defender via the sc.exe utility. 4/5 Reputation Contacts known malicious IP address 1 - • Reputation analysis labels the contacted IP address 208.91.198.143 as "C2/Generic-A". 2/5 Privilege Escalation Enables critical process privilege 2 - • (Process #2) advancedrun.exe enables critical process privilege "SeImpersonatePrivilege". • (Process #22) advancedrun.exe enables critical process privilege "SeImpersonatePrivilege". 2/5 Hide Tracks Deletes file after execution 1 - • (Process #1) kvfwecxf.or3.exe deletes executed executable "c:\users\keecfmwgj\appdata\local\temp\advancedrun.exe". 2/5 Data Collection Reads sensitive browser data 9 - • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Opera" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "BlackHawk" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Mozilla Firefox" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Flock" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "k-Meleon" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Cyberfox" by file. • (Process #25) kvfwecxf.or3.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of web browser "Comodo IceDragon" by file. 2/5 Data Collection Reads sensitive application data 6 - • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "TightVNC" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "TigerVNC" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "SeaMonkey" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "OpenVPN" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "WinSCP" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of application "Internet Download Manager" by registry. 2/5 Data Collection Reads sensitive mail data 7 - X-Ray Vision for Malware - www.vmray.com 2 / 53 DYNAMIC ANALYSIS REPORT #1298037 • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Opera Mail" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "IncrediMail" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "The Bat!" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Pocomail" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Postbox" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of mail application "Mozilla Thunderbird" by file. 2/5 Data Collection Reads sensitive ftp data 5 - • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "Ipswitch WS_FTP" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "CoreFTP" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "CoreFTP" by registry. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "FTP Navigator" by file. • (Process #25) kvfwecxf.or3.exe tries to read sensitive data of ftp application "FileZilla" by file. 2/5 Discovery Queries OS version via WMI 1 - • (Process #25) kvfwecxf.or3.exe queries OS version via WMI. 2/5 Discovery Executes WMI query 2 - • (Process #25) kvfwecxf.or3.exe executes WMI query: select * from Win32_OperatingSystem. • (Process #25) kvfwecxf.or3.exe executes WMI query: SELECT * FROM Win32_Processor. 2/5 Discovery Collects hardware properties 1 - • (Process #25) kvfwecxf.or3.exe queries hardware properties via WMI. 2/5 Anti Analysis Tries to detect virtual machine 1 - • Multiple processes are possibly trying to detect a VM via rdtsc. 2/5 Injection Writes into the memory of a process running from a created or modified executable 1 - • (Process #1) kvfwecxf.or3.exe modifies memory of (process #25) kvfwecxf.or3.exe. 2/5 Injection Modifies control flow of a process running from a created or modified executable 1 - • (Process #1) kvfwecxf.or3.exe alters context of (process #25) kvfwecxf.or3.exe. 1/5 Privilege Escalation Enables process privilege 4 - • (Process #1) kvfwecxf.or3.exe enables process privilege "SeDebugPrivilege". • (Process #2) advancedrun.exe enables process privilege "SeDebugPrivilege". • (Process #22) advancedrun.exe enables process privilege "SeDebugPrivilege". • (Process #25) kvfwecxf.or3.exe enables process privilege "SeDebugPrivilege". 1/5 Hide Tracks Creates process with hidden window 6 - • (Process #1) kvfwecxf.or3.exe starts (process #2) advancedrun.exe with a hidden window. • (Process #2) advancedrun.exe starts (process #21) sc.exe with a hidden window. • (Process #1) kvfwecxf.or3.exe starts (process #22) advancedrun.exe with a hidden window. • (Process #22) advancedrun.exe starts (process #23) powershell.exe with a hidden window. • (Process #1) kvfwecxf.or3.exe starts (process #25) kvfwecxf.or3.exe with a hidden window. • (Process #24) wscript.exe starts (process #24) wscript.exe with a hidden window. 1/5 Discovery Enumerates running processes 3 - X-Ray Vision for Malware - www.vmray.com 3 / 53 DYNAMIC ANALYSIS REPORT #1298037 • (Process #2) advancedrun.exe enumerates running processes. • (Process #22) advancedrun.exe enumerates running processes. • (Process #1) kvfwecxf.or3.exe enumerates running processes. 1/5 Mutex Creates mutex 1 - • (Process #1) kvfwecxf.or3.exe creates mutex with name "Ojimkn". 1/5 Obfuscation Reads from memory of another process 1 - • (Process #1) kvfwecxf.or3.exe reads from (process #25) kvfwecxf.or3.exe. 1/5 Obfuscation Creates a page with write and execute permissions 1 - • (Process #1) kvfwecxf.or3.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. 1/5 Discovery Possibly does reconnaissance 22 - • (Process #25) kvfwecxf.or3.exe tries to gather information about application "RealVNC" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "TightVNC" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "TigerVNC" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "Foxmail" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "blackHawk" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "Opera Mail" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "SeaMonkey" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "WS_FTP" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "CoreFTP" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "icecat" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "FTP Navigator" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "Mozilla Firefox" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "FileZilla" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "Flock" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "Qualcomm Eudora" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "k-Meleon" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "The Bat!" by file. • (Process #25) kvfwecxf.or3.exe tries to gather information about application "WinSCP" by registry. • (Process #25) kvfwecxf.or3.exe tries to gather information about application