CAPE

Detections: QakBot Triggered CAPE Tasks: Task #90404: QakBot


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-09-11 11:03:37 2019-09-11 11:04:25 48 seconds Show Options Show Log
route = internet
procdump = 1
2019-09-11 12:03:38,000 [root] INFO: Date set to: 09-11-19, time set to: 11:03:38, timeout set to: 200
2019-09-11 12:03:38,015 [root] DEBUG: Starting analyzer from: C:\gleuhdpeso
2019-09-11 12:03:38,015 [root] DEBUG: Storing results at: C:\yaRohhx
2019-09-11 12:03:38,015 [root] DEBUG: Pipe server name: \\.\PIPE\GcUnkgXOJR
2019-09-11 12:03:38,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-09-11 12:03:38,015 [root] INFO: Automatically selected analysis package "exe"
2019-09-11 12:03:38,390 [root] DEBUG: Started auxiliary module Browser
2019-09-11 12:03:38,390 [root] DEBUG: Started auxiliary module Curtain
2019-09-11 12:03:38,390 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-09-11 12:03:38,779 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-09-11 12:03:38,779 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-09-11 12:03:38,779 [root] DEBUG: Started auxiliary module DigiSig
2019-09-11 12:03:38,811 [root] DEBUG: Started auxiliary module Disguise
2019-09-11 12:03:38,811 [root] DEBUG: Started auxiliary module Human
2019-09-11 12:03:38,811 [root] DEBUG: Started auxiliary module Screenshots
2019-09-11 12:03:38,811 [root] DEBUG: Started auxiliary module Sysmon
2019-09-11 12:03:38,811 [root] DEBUG: Started auxiliary module Usage
2019-09-11 12:03:38,811 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-09-11 12:03:38,811 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-09-11 12:03:38,842 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\a2Vya.exe" with arguments "" with pid 1308
2019-09-11 12:03:38,842 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-09-11 12:03:38,842 [lib.api.process] INFO: 32-bit DLL to inject is C:\gleuhdpeso\dll\xNfntBLk.dll, loader C:\gleuhdpeso\bin\YjuKMZd.exe
2019-09-11 12:03:38,904 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\GcUnkgXOJR.
2019-09-11 12:03:38,904 [root] DEBUG: Loader: Injecting process 1308 (thread 884) with C:\gleuhdpeso\dll\xNfntBLk.dll.
2019-09-11 12:03:38,904 [root] DEBUG: Process image base: 0x00400000
2019-09-11 12:03:38,904 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\gleuhdpeso\dll\xNfntBLk.dll.
2019-09-11 12:03:38,904 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x004AF000 - 0x77110000
2019-09-11 12:03:38,904 [root] DEBUG: InjectDllViaIAT: Allocated 0x1f0 bytes for new import table at 0x004B0000.
2019-09-11 12:03:38,904 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 12:03:38,904 [root] DEBUG: Successfully injected DLL C:\gleuhdpeso\dll\xNfntBLk.dll.
2019-09-11 12:03:38,904 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1308
2019-09-11 12:03:40,917 [lib.api.process] INFO: Successfully resumed process with pid 1308
2019-09-11 12:03:40,917 [root] INFO: Added new process to list with pid: 1308
2019-09-11 12:03:40,994 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 12:03:40,994 [root] DEBUG: Process dumps enabled.
2019-09-11 12:03:41,042 [root] INFO: Disabling sleep skipping.
2019-09-11 12:03:41,042 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 12:03:41,042 [root] INFO: Disabling sleep skipping.
2019-09-11 12:03:41,042 [root] INFO: Disabling sleep skipping.
2019-09-11 12:03:41,042 [root] INFO: Disabling sleep skipping.
2019-09-11 12:03:41,042 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1308 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 12:03:41,042 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\a2Vya.exe".
2019-09-11 12:03:41,042 [root] INFO: Monitor successfully loaded in process with pid 1308.
2019-09-11 12:03:41,042 [root] DEBUG: set_caller_info: Adding region at 0x7EFDE000 to caller regions list (ntdll::LdrGetDllHandle).
2019-09-11 12:03:41,056 [root] DEBUG: set_caller_info: Adding region at 0x002D0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-09-11 12:03:41,056 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-09-11 12:03:41,088 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-09-11 12:03:41,088 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-09-11 12:03:41,088 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-09-11 12:03:41,088 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-09-11 12:03:41,104 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2019-09-11 12:03:41,119 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2019-09-11 12:03:41,119 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2019-09-11 12:03:41,119 [root] DEBUG: DLL loaded at 0x74530000: C:\Windows\system32\netutils (0x9000 bytes).
2019-09-11 12:03:41,119 [root] DEBUG: DLL loaded at 0x74510000: C:\Windows\system32\srvcli (0x19000 bytes).
2019-09-11 12:03:41,134 [root] DEBUG: DLL loaded at 0x744E0000: C:\Windows\system32\LOGONCLI (0x22000 bytes).
2019-09-11 12:03:41,151 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (ntdll::memcpy).
2019-09-11 12:03:41,711 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-09-11 12:03:41,743 [root] INFO: Announced 32-bit process name: a2Vya.exe pid: 1516
2019-09-11 12:03:41,743 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-09-11 12:03:41,743 [lib.api.process] INFO: 32-bit DLL to inject is C:\gleuhdpeso\dll\xNfntBLk.dll, loader C:\gleuhdpeso\bin\YjuKMZd.exe
2019-09-11 12:03:41,743 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\GcUnkgXOJR.
2019-09-11 12:03:41,743 [root] DEBUG: Loader: Injecting process 1516 (thread 1596) with C:\gleuhdpeso\dll\xNfntBLk.dll.
2019-09-11 12:03:41,743 [root] DEBUG: Process image base: 0x00400000
2019-09-11 12:03:41,743 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\gleuhdpeso\dll\xNfntBLk.dll.
2019-09-11 12:03:41,743 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x004AF000 - 0x77110000
2019-09-11 12:03:41,743 [root] DEBUG: InjectDllViaIAT: Allocated 0x1f0 bytes for new import table at 0x004B0000.
2019-09-11 12:03:41,743 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-09-11 12:03:41,743 [root] DEBUG: Successfully injected DLL C:\gleuhdpeso\dll\xNfntBLk.dll.
2019-09-11 12:03:41,743 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1516
2019-09-11 12:03:41,759 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-09-11 12:03:41,759 [root] DEBUG: Process dumps enabled.
2019-09-11 12:03:41,759 [root] INFO: Disabling sleep skipping.
2019-09-11 12:03:41,759 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-09-11 12:03:41,759 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1516 at 0x747e0000, image base 0x400000, stack from 0x186000-0x190000
2019-09-11 12:03:41,759 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\a2Vya.exe \C.
2019-09-11 12:03:41,759 [root] INFO: Added new process to list with pid: 1516
2019-09-11 12:03:41,759 [root] INFO: Monitor successfully loaded in process with pid 1516.
2019-09-11 12:03:41,759 [root] DEBUG: set_caller_info: Adding region at 0x7EFDE000 to caller regions list (ntdll::LdrGetDllHandle).
2019-09-11 12:03:41,775 [root] DEBUG: set_caller_info: Adding region at 0x001D0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-09-11 12:03:41,775 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-09-11 12:03:41,775 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-09-11 12:03:41,775 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-09-11 12:03:41,775 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-09-11 12:03:41,775 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-09-11 12:03:41,775 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2019-09-11 12:03:41,775 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2019-09-11 12:03:41,775 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2019-09-11 12:03:41,775 [root] DEBUG: DLL loaded at 0x74530000: C:\Windows\system32\netutils (0x9000 bytes).
2019-09-11 12:03:41,775 [root] DEBUG: DLL loaded at 0x74510000: C:\Windows\system32\srvcli (0x19000 bytes).
2019-09-11 12:03:41,775 [root] DEBUG: DLL loaded at 0x744E0000: C:\Windows\system32\LOGONCLI (0x22000 bytes).
2019-09-11 12:03:41,775 [root] DEBUG: set_caller_info: Adding region at 0x00090000 to caller regions list (ntdll::memcpy).
2019-09-11 12:03:42,351 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1516
2019-09-11 12:03:42,351 [root] DEBUG: GetHookCallerBase: thread 1596 (handle 0x0), return address 0x0040363E, allocation base 0x00400000.
2019-09-11 12:03:42,351 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-09-11 12:03:42,368 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-09-11 12:03:42,368 [root] DEBUG: DumpProcess: Module entry point VA is 0x00003120.
2019-09-11 12:03:42,382 [root] INFO: Added new CAPE file to list with path: C:\yaRohhx\CAPE\1516_197931417013441511392019
2019-09-11 12:03:42,382 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8e000.
2019-09-11 12:03:42,382 [root] INFO: Notified of termination of process with pid 1516.
2019-09-11 12:03:42,976 [root] INFO: Process with pid 1516 has terminated
2019-09-11 12:03:46,313 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2019-09-11 12:03:48,046 [root] INFO: Process with pid 1308 has terminated
2019-09-11 12:04:02,242 [root] INFO: Process list is empty, terminating analysis.
2019-09-11 12:04:03,256 [root] INFO: Created shutdown mutex.
2019-09-11 12:04:04,269 [root] INFO: Shutting down package.
2019-09-11 12:04:04,269 [root] INFO: Stopping auxiliary modules.
2019-09-11 12:04:04,269 [root] INFO: Finishing auxiliary modules.
2019-09-11 12:04:04,269 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-09-11 12:04:04,269 [root] WARNING: File at path "C:\yaRohhx\debugger" does not exist, skip.
2019-09-11 12:04:04,269 [root] INFO: Analysis completed.

MalScore

7.5

QakBot

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-09-11 11:03:37 2019-09-11 11:04:24

File Details

File Name e1ba86ca89b38e861b8bacb23ec9ccf5b9bbb47a6e012a5502e1f1e33bd01dde
File Size 704512 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 65b56c397706faeffeb98f5b59e9d6c7
SHA1 92e2cc1372d7b7d480a68c94baa22a33bab221f8
SHA256 e1ba86ca89b38e861b8bacb23ec9ccf5b9bbb47a6e012a5502e1f1e33bd01dde
SHA512 f4be8243b1d1140b60987bde3a4f64c8f9ed706cba1f297e787ba90fb260c6167f16500d0fb10dc18d5bd177797bfcf89ad51394c097290ba57dfdffe6f517cb
CRC32 939DE834
Ssdeep 12288:OLx4QlvnmOXIjsinKr0AVW+8VUAk098R2/SOFB8yjArpFCI1vgJA4xrxYS:OLxDvnmdjs+Kr0AVW+EUz098Y/jm5Vgj
TrID
  • 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 26.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 11.8% (.EXE) OS/2 Executable (generic) (2029/13)
  • 11.6% (.EXE) Generic Win/DOS Executable (2002/3)
  • 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 1516 trigged the Yara rule 'QakBot'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: a2Vya.exe, PID 1516
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: msvcrt.dll/strncpy
DynamicLoader: msvcrt.dll/_ftol2_sse
DynamicLoader: msvcrt.dll/_ltoa
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/strchr
DynamicLoader: msvcrt.dll/_wtol
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: msvcrt.dll/memset
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: SHLWAPI.dll/wvnsprintfA
DynamicLoader: SHLWAPI.dll/wvnsprintfW
DynamicLoader: SHLWAPI.dll/StrStrW
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/PathUnquoteSpacesW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/lstrcpynW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/GetEnvironmentVariableA
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/FindResourceA
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetWindowsDirectoryW
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetThreadContext
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: USER32.dll/CharUpperBuffA
DynamicLoader: USER32.dll/CharUpperBuffW
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: ADVAPI32.dll/RegisterServiceCtrlHandlerA
DynamicLoader: ADVAPI32.dll/StartServiceCtrlDispatcherA
DynamicLoader: ADVAPI32.dll/SetServiceStatus
DynamicLoader: ADVAPI32.dll/EqualSid
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: ADVAPI32.dll/RegLoadKeyW
DynamicLoader: ADVAPI32.dll/RegUnLoadKeyW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/SetFileSecurityW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: NETAPI32.dll/NetApiBufferFree
DynamicLoader: NETAPI32.dll/NetUserEnum
DynamicLoader: NETAPI32.dll/NetGetDCName
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/Module32First
DynamicLoader: kernel32.dll/Module32Next
DynamicLoader: kernel32.dll/CreateRemoteThread
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentDirectoryA
DynamicLoader: kernel32.dll/SetCurrentDirectoryA
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/MoveFileA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetVolumeInformationA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/InterlockedCompareExchange
DynamicLoader: ntdll.dll/ZwQueryInformationThread
DynamicLoader: ntdll.dll/RtlGetVersion
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyA
DynamicLoader: ADVAPI32.dll/RegEnumValueA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegDeleteValueA
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/SetEntriesInAclA
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoA
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/LookupAccountSidA
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: SHELL32.dll/ShellExecuteA
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtDuplicateObject
DynamicLoader: ntdll.dll/NtQueryObject
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/SendMessageA
DynamicLoader: USER32.dll/PostMessageA
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/RegisterClassExA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/UnregisterClassA
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/PostQuitMessage
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/FreeConsole
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: msvcrt.dll/strncpy
DynamicLoader: msvcrt.dll/_ftol2_sse
DynamicLoader: msvcrt.dll/_ltoa
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/strchr
DynamicLoader: msvcrt.dll/_wtol
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: msvcrt.dll/memset
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: SHLWAPI.dll/wvnsprintfA
DynamicLoader: SHLWAPI.dll/wvnsprintfW
DynamicLoader: SHLWAPI.dll/StrStrW
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/PathUnquoteSpacesW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoSetProxyBlanket
DynamicLoader: ole32.dll/CoInitializeSecurity
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/SHGetFolderPathW
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/lstrcpynW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/GetEnvironmentVariableA
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/FindResourceA
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/GetWindowsDirectoryW
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetThreadContext
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetFileAttributesA
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: USER32.dll/CharUpperBuffA
DynamicLoader: USER32.dll/CharUpperBuffW
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: ADVAPI32.dll/RegisterServiceCtrlHandlerA
DynamicLoader: ADVAPI32.dll/StartServiceCtrlDispatcherA
DynamicLoader: ADVAPI32.dll/SetServiceStatus
DynamicLoader: ADVAPI32.dll/EqualSid
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: ADVAPI32.dll/RegLoadKeyW
DynamicLoader: ADVAPI32.dll/RegUnLoadKeyW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/SetFileSecurityW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: NETAPI32.dll/NetApiBufferFree
DynamicLoader: NETAPI32.dll/NetUserEnum
DynamicLoader: NETAPI32.dll/NetGetDCName
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/Module32First
DynamicLoader: kernel32.dll/Module32Next
DynamicLoader: kernel32.dll/CreateRemoteThread
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentDirectoryA
DynamicLoader: kernel32.dll/SetCurrentDirectoryA
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/MoveFileA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetVolumeInformationA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/InterlockedCompareExchange
DynamicLoader: ntdll.dll/ZwQueryInformationThread
DynamicLoader: ntdll.dll/RtlGetVersion
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyA
DynamicLoader: ADVAPI32.dll/RegEnumValueA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegDeleteValueA
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/SetEntriesInAclA
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoA
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/LookupAccountSidA
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: SHELL32.dll/ShellExecuteA
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtDuplicateObject
DynamicLoader: ntdll.dll/NtQueryObject
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/SendMessageA
DynamicLoader: USER32.dll/PostMessageA
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/RegisterClassExA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/ShowWindow
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/DispatchMessageA
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/UnregisterClassA
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/PostQuitMessage
DynamicLoader: OLEAUT32.dll/
A process created a hidden window
Process: a2Vya.exe -> C:\Users\user\AppData\Local\Temp\a2Vya.exe /C
The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 7.96, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x000a0000, virtual_size: 0x000a28fc
CAPE detected the QakBot malware family

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\INTERNAL\__empty
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\hiberfil.sysss
C:\Windows\Globalization\Sorting\sortdefault.nls
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.VirtualAlloc
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualProtect
kernel32.dll.FreeConsole
kernel32.dll.FlsFree
kernel32.dll.SetUnhandledExceptionFilter
msvcrt.dll.strncpy
msvcrt.dll._ftol2_sse
msvcrt.dll._ltoa
msvcrt.dll._except_handler3
msvcrt.dll.strchr
msvcrt.dll._wtol
msvcrt.dll.memcpy
msvcrt.dll.memset
userenv.dll.GetUserProfileDirectoryW
shlwapi.dll.wvnsprintfA
shlwapi.dll.wvnsprintfW
shlwapi.dll.StrStrW
shlwapi.dll.StrStrIW
shlwapi.dll.StrStrIA
shlwapi.dll.PathUnquoteSpacesW
ole32.dll.CoInitialize
ole32.dll.CoCreateInstance
ole32.dll.CoUninitialize
ole32.dll.CoSetProxyBlanket
ole32.dll.CoInitializeSecurity
ole32.dll.CoInitializeEx
shell32.dll.CommandLineToArgvW
shell32.dll.ShellExecuteW
shell32.dll.SHGetFolderPathW
setupapi.dll.SetupDiGetDeviceRegistryPropertyA
setupapi.dll.SetupDiGetClassDevsA
setupapi.dll.SetupDiEnumDeviceInfo
setupapi.dll.SetupDiDestroyDeviceInfoList
kernel32.dll.SystemTimeToFileTime
kernel32.dll.GetSystemTime
kernel32.dll.Sleep
kernel32.dll.lstrcpynW
kernel32.dll.CloseHandle
kernel32.dll.SetEvent
kernel32.dll.SleepEx
kernel32.dll.OpenEventA
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetLastError
kernel32.dll.FreeLibrary
kernel32.dll.GetModuleHandleA
kernel32.dll.ExitProcess
kernel32.dll.GetDriveTypeW
kernel32.dll.lstrcmpiW
kernel32.dll.lstrcmpA
kernel32.dll.CopyFileW
kernel32.dll.GetCommandLineW
kernel32.dll.lstrlenW
kernel32.dll.lstrlenA
kernel32.dll.lstrcmpiA
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.HeapCreate
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetExitCodeProcess
kernel32.dll.WaitForSingleObject
kernel32.dll.TerminateProcess
kernel32.dll.ResumeThread
kernel32.dll.WideCharToMultiByte
kernel32.dll.MultiByteToWideChar
kernel32.dll.lstrcatA
kernel32.dll.lstrcatW
kernel32.dll.lstrcpyA
kernel32.dll.GetLocalTime
kernel32.dll.GetEnvironmentVariableA
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.GetFileSize
kernel32.dll.CreateMutexA
kernel32.dll.OpenMutexA
kernel32.dll.ReleaseMutex
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.LocalAlloc
kernel32.dll.LoadResource
kernel32.dll.SizeofResource
kernel32.dll.FindResourceA
kernel32.dll.GetSystemInfo
kernel32.dll.GetVersionExA
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetComputerNameW
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.SetEnvironmentVariableW
kernel32.dll.GetWindowsDirectoryW
kernel32.dll.GetTickCount
kernel32.dll.GetVolumeInformationW
kernel32.dll.GetModuleFileNameA
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.CreateEventA
kernel32.dll.GetThreadContext
kernel32.dll.TerminateThread
kernel32.dll.CreateThread
kernel32.dll.OpenProcess
kernel32.dll.VirtualFree
kernel32.dll.DeleteFileW
kernel32.dll.GetFileAttributesA
kernel32.dll.GetFileAttributesW
kernel32.dll.LocalFree
kernel32.dll.lstrcpyW
kernel32.dll.CreateDirectoryW
user32.dll.CharUpperBuffA
user32.dll.CharUpperBuffW
user32.dll.MessageBoxA
advapi32.dll.RegisterServiceCtrlHandlerA
advapi32.dll.StartServiceCtrlDispatcherA
advapi32.dll.SetServiceStatus
advapi32.dll.EqualSid
advapi32.dll.LookupAccountNameW
advapi32.dll.OpenProcessToken
advapi32.dll.OpenThreadToken
advapi32.dll.GetTokenInformation
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.ConvertSidToStringSidW
advapi32.dll.RegLoadKeyW
advapi32.dll.RegUnLoadKeyW
advapi32.dll.RegSetValueExW
advapi32.dll.RegQueryValueExW
advapi32.dll.SetFileSecurityW
advapi32.dll.RegDeleteValueW
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegCloseKey
advapi32.dll.RegEnumValueW
advapi32.dll.LookupAccountSidW
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.GetSidSubAuthorityCount
advapi32.dll.GetSidSubAuthority
advapi32.dll.CreateProcessAsUserW
netapi32.dll.NetApiBufferFree
netapi32.dll.NetUserEnum
netapi32.dll.NetGetDCName
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Process32First
kernel32.dll.Process32Next
kernel32.dll.Module32First
kernel32.dll.Module32Next
kernel32.dll.CreateRemoteThread
kernel32.dll.WriteProcessMemory
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
kernel32.dll.VirtualFreeEx
kernel32.dll.SetLastError
kernel32.dll.GetCurrentDirectoryA
kernel32.dll.SetCurrentDirectoryA
kernel32.dll.CreateProcessA
kernel32.dll.SetFilePointer
kernel32.dll.SetEndOfFile
kernel32.dll.FindFirstFileA
kernel32.dll.FindNextFileA
kernel32.dll.FindClose
kernel32.dll.CreateFileA
kernel32.dll.CreateFileW
kernel32.dll.ReadFile
kernel32.dll.WriteFile
kernel32.dll.DeleteFileA
kernel32.dll.GetCurrentThreadId
kernel32.dll.MoveFileA
kernel32.dll.CreateDirectoryA
kernel32.dll.GetVolumeInformationA
kernel32.dll.OpenThread
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.VirtualProtectEx
kernel32.dll.InterlockedCompareExchange
ntdll.dll.ZwQueryInformationThread
ntdll.dll.RtlGetVersion
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegQueryInfoKeyA
advapi32.dll.RegEnumValueA
advapi32.dll.RegEnumKeyExA
advapi32.dll.RegSetValueExA
advapi32.dll.RegQueryValueExA
advapi32.dll.RegDeleteValueA
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.SetEntriesInAclA
advapi32.dll.SetNamedSecurityInfoA
advapi32.dll.FreeSid
advapi32.dll.LookupAccountSidA
shell32.dll.ShellExecuteA
kernel32.dll.CreateProcessW
sechost.dll.LookupAccountSidLocalW
kernel32.dll.IsWow64Process
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ntdll.dll.NtQuerySystemInformation
ntdll.dll.NtDuplicateObject
ntdll.dll.NtQueryObject
user32.dll.FindWindowA
user32.dll.SendMessageA
user32.dll.PostMessageA
user32.dll.GetForegroundWindow
user32.dll.RegisterClassExA
user32.dll.CreateWindowExA
user32.dll.ShowWindow
user32.dll.UpdateWindow
user32.dll.GetMessageA
user32.dll.TranslateMessage
user32.dll.DispatchMessageA
user32.dll.DestroyWindow
user32.dll.UnregisterClassA
user32.dll.DefWindowProcA
user32.dll.PostQuitMessage
oleaut32.dll.#9
C:\Users\user\AppData\Local\Temp\a2Vya.exe /C

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x00401450
Reported Checksum 0x00000000
Actual Checksum 0x000b271f
Minimum OS Version 5.0
Compile Time 2019-09-10 21:57:15
Import Hash cae14a1256284f3b54a6bd8e0c38f315

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00002392 0x00003000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.22
.rdata 0x00004000 0x00000878 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.09
.data 0x00005000 0x000a28fc 0x000a0000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.96
.rsrc 0x000a8000 0x00006f76 0x00007000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.09

Imports

Library MPRAPI.dll:
Library RPCRT4.dll:
0x404028 UuidFromStringA
Library KERNEL32.dll:
0x404010 ResumeThread
0x404018 GetModuleHandleA
Library USERENV.dll:
Library CRYPT32.dll:
Library Secur32.dll:
0x404030 MakeSignature
Library IMM32.dll:
Library ole32.dll:
0x404040 CoTreatAsClass

.text
`.rdata
@.data
.rsrc
,1SUV
D$0AA
in1zbrowsers,
usersG7themanasaOSPusedV
dofpassedodriverZhktestingyear,
quray
a8WmpasTeamgweb
You3FLbresetsrocketmany
4it,into0tests.61love
9oProduction.severalruni
BetaEasterDamostyinKfs
onConisjpreferred
platform.1oannouncements.
iTheelephant
ChromewindowFirefox2
TKdownload3DN
OctobergforfqrQso
fromengine,jfromthemidnightnew1
fromsome2015,macOS,Atomy
vupdateEhelpmemalwareexplaining
theeoplouts2008.288malware),scottatBW
bQlGoogle0match
myapp.exe
MprAdminInterfaceTransportAdd
MPRAPI.dll
UuidFromStringA
RPCRT4.dll
GetModuleHandleA
ResumeThread
ApplicationRecoveryInProgress
KERNEL32.dll
RsopResetPolicySettingStatus
USERENV.dll
CertCreateSelfSignCertificate
CRYPT32.dll
MakeSignature
Secur32.dll
ImmDisableTextFrameService
IMM32.dll
CoTreatAsClass
ole32.dll
ykxf5fT
;\d=gj+:
?We}z
^PPp]
$b} 7
0{o+#JuV
@f9lJ
ftp@'`
s;^.gk2
4h+}KiK
ok.7F
WW~H,
$Z)ab
C.H@@
t`gmH@@
"}dH@@
Q(H@@
n2%H@@
2 H@@
v,H@@
J=H@@
:gH@@
,k,H@@
=)H@@
g0}H@@
$TH@@
_YH@@
cirnH@@
S4H@@
=jH@@
=]H@@
%}H@@
N!H@@
wiH@@
hGH@@
(/H@@
G4H@@
\J/H@@
ocMH@@
DCH@@
>?9@AAAAAAAAAAAA
@ABCD,EFGHGIJKL
123456789:9;<=
!"#$
wwwwwwwwwwwwp
pDDDDDDD@
pDDDDDDD@
pDDDDDDD@
pDDDDDDDDDDDDp
wwwwwwwwwwwwwp
/SDMain
uAppEvnts
&Controls
5Themes
UTypes
SysInit
System
SysUtils
ImageHlp
KWindows
SysConst
CommCtrl
sActiveX
3Messages
CUxTheme
SyncObjs
^Classes
"RTLConsts
QTypInfo
CVariants
$VarUtils
+Graphics
Consts
8Registry
IniFiles
Forms
StdActns
(ShlObj
UrlMon
?WinInet
RegStr
*ShellAPI
YStrUtils
Clipbrd
ImgList
Dialogs
IDlgs
ExtCtrls
GraphUtil
dStdCtrls
EActnList
vMenus
Contnrs
Printers
WWinSpool
3CommDlg
FlatSB
RHelpIntfs
MultiMon
pkWER
MAINICON
$No topic-based help system installed
No help found for context
&Ignore
Not enough timers available
Canvas does not allow drawing
List index out of bounds (%d)+Out of memory while expanding memory stream
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Exception in safecall method
Floating point overflow
VS_VERSION_INFO
StringFileInfo
180904b0
Comments
Helps Spybot-S&D with WSC
CompanyName
Sun Microsystems, Inc.
FileDescription
Spybot-S&D Security Center launcher
FileVersion
1, 0, 0, 6
InternalName
SDMain
LegalCopyright
2006-2008 Sun Microsystems, Inc. All rights reserved.
LegalTrademarks
Spybot and Spybot - Search & Destroy are registered trademarks.
OriginalFilename
SDMain.exe
ProductName
Spybot - Search & Destroy
ProductVersion
1, 6, 0, 0
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


a2Vya.exe, PID: 1308, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\a2Vya.exe
Command Line: "C:\Users\user\AppData\Local\Temp\a2Vya.exe"
a2Vya.exe, PID: 1516, Parent PID: 1308
Full Path: C:\Users\user\AppData\Local\Temp\a2Vya.exe
Command Line: C:\Users\user\AppData\Local\Temp\a2Vya.exe /C

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name a2Vya.exe
PID 1516
Dump Size 581632 bytes
Module Path C:\Users\user\AppData\Local\Temp\a2Vya.exe
Type PE imageexecutable
MD5 2e54927dec4a1c32c8337f9cef976329
SHA1 f7ad6f53bc0bcf1cc4d1790ba36807c4c49a4352
SHA256 1dc17fa493af8bb60f8d77223cce8fc5491906f8262e7687ed01c58841052b87
CRC32 B25D5718
Ssdeep 12288:hojNWegEsTrdLgNSRv5hgv4l6jensrsojZWhocUDCvyxy0hdxrN8a/T:+MegdTrdLiSRvX6ksvdPcoQyxyodbT
ClamAV None
Yara None matched
CAPE Yara
  • QakBot Payload
Dump Filename 1dc17fa493af8bb60f8d77223cce8fc5491906f8262e7687ed01c58841052b87
Download

Comments



No comments posted

Processing ( 2.969 seconds )

  • 1.175 Static
  • 0.67 CAPE
  • 0.342 ProcDump
  • 0.326 TargetInfo
  • 0.193 BehaviorAnalysis
  • 0.112 TrID
  • 0.091 Deduplicate
  • 0.046 Strings
  • 0.007 NetworkAnalysis
  • 0.006 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.077 seconds )

  • 0.007 antiav_detectreg
  • 0.006 ransomware_files
  • 0.005 stealth_timeout
  • 0.003 api_spamming
  • 0.003 antiemu_wine_func
  • 0.003 dynamic_function_loading
  • 0.003 persistence_autorun
  • 0.003 decoy_document
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 malicious_dynamic_function_loading
  • 0.002 stealth_file
  • 0.002 antivm_generic_disk
  • 0.002 infostealer_browser_password
  • 0.002 virus
  • 0.002 kovter_behavior
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 bootkit
  • 0.001 rat_nanocore
  • 0.001 exploit_getbasekerneladdress
  • 0.001 injection_createremotethread
  • 0.001 mimics_filetime
  • 0.001 exploit_gethaldispatchtable
  • 0.001 InjectionCreateRemoteThread
  • 0.001 reads_self
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail

Reporting ( 0.02 seconds )

  • 0.02 SubmitCAPE
Task ID 90403
Mongo ID 5d78d4be285182853562ed2f
Cuckoo release 1.3-CAPE
Delete