Xcitium Cloud Verdict

File Name: virussign.com_5c9bbe8e5b749efba278eabd96c9cbe1.exe

File Type: PE32+ executable (GUI) x86-64, for MS Windows

SHA1: 3b48a7ed61ab4ca62ecd8591bfdec38c3cf0493d

MD5: 5c9bbe8e5b749efba278eabd96c9cbe1

Download Kill Chain Report

Networking

Starts servers listening on 127.0.0.1:42424, :0, 0.0.0.0:2002

Lowering of HIPS/ PFW/ Operating System Security Settings

Attempts to block SafeBoot use by removing registry keys Show sources

registry_delete

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option

Cryptography

At least one IP Address, Domain, or File Name was found in a crypto call Show sources

ioc	locks.mem
ioc	ounter.mem
ioc	oot.mem

Stealing of Sensitive Information

Sniffs keystrokes Show sources

api_process_name

Process: explorer.exe(1268)

Steals private information from local Internet browsers Show sources

file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\prefs.js
file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Likely virus infection of existing system binary Show sources

file	c:\program files (x86)\common files\microsoft shared\office12\offdiag.exe
file	c:\program files (x86)\universal extractor\bin\7z.exe
file	c:\program files (x86)\google\update\1.3.29.5\googleupdatewebplugin.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\rmid.exe
file	c:\program files\oracle\virtualbox guest additions\vboxtray.exe
file	c:\program files (x86)\mozilla firefox\firefox.exe
file	c:\program files\sandboxie\start.exe
file	c:\program files (x86)\adobe\reader 9.0\reader\reader_sl.exe
file	c:\program files (x86)\google\update\1.3.29.5\googleupdatecomregistershell64.exe
file	c:\program files\7-zip\7zfm.exe
file	c:\program files (x86)\common files\microsoft shared\smart tag\smarttaginstall.exe
file	c:\windows\sysnative\alg.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\ssvagent.exe
file	c:\program files (x86)\google\update\1.3.29.5\googleupdatebroker.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\pack200.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\orbd.exe
file	c:\bevevnhfi\bin\loader.exe
file	c:\program files (x86)\google\chrome\application\48.0.2564.103\installer\chrmstp.exe
file	c:\program files (x86)\mozilla firefox\plugin-hang-ui.exe
file	c:\windows\sysnative\wbem\wmiapsrv.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\tnameserv.exe
file	c:\program files (x86)\mozilla firefox\crashreporter.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\keytool.exe
file	c:\program files (x86)\common files\java\java update\jusched.exe
file	c:\program files (x86)\common files\microsoft shared\source engine\ose.exe
file	c:\program files\7-zip\7z.exe
file	c:\program files\7-zip\uninstall.exe
file	c:\program files (x86)\adobe\reader 9.0\reader\adobecollabsync.exe
file	c:\program files (x86)\common files\microsoft shared\office12\office setup controller\odeploy.exe
file	c:\program files (x86)\google\update\1.3.29.5\googleupdate.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\ktab.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\kinit.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\java-rmi.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\javaws.exe
file	c:\program files (x86)\common files\microsoft shared\dw\dw20.exe
file	c:\program files (x86)\common files\adobe\updater6\adobeupdaterinstallmgr.exe
file	c:\program files (x86)\adobe\reader 9.0\reader\acrord32info.exe
file	c:\windows\sysnative\msdtc.exe
file	c:\program files (x86)\universal extractor\bin\aspackdie.exe
file	c:\program files (x86)\adobe\reader 9.0\reader\acrotextextractor.exe
file	c:\program files\sandboxie\sbieini.exe
file	c:\windows\ehome\ehrecvr.exe
file	c:\program files (x86)\common files\microsoft shared\phone tools\12.0\debugger\target\x86\dxcap.exe
file	c:\program files (x86)\common files\microsoft shared\office12\odserv.exe
file	c:\nidguu\bin\nurnemuk.exe
file	c:\program files (x86)\common files\microsoft shared\equation\eqnedt32.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\jjs.exe
file	c:\program files (x86)\notepad++\updater\gpup.exe
file	c:\program files (x86)\adobe\reader 9.0\reader\a3dutility.exe
file	c:\program files\sandboxie\sbiectrl.exe
file	c:\bevevnhfi\bin\yffkvqc.exe
file	c:\nidguu\bin\loader_x64.exe
file	c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
file	c:\windows\sysnative\locator.exe
file	c:\program files (x86)\universal extractor\bin\bin2iso.exe
file	c:\program files\mpc-hc\crashreporter\sendrpt.exe
file	c:\program files\sandboxie\32\sbiesvc.exe
file	c:\program files (x86)\common files\microsoft shared\office12\office setup controller\setup.exe
file	c:\program files (x86)\common files\microsoft shared\office12\msoxmled.exe
file	c:\program files (x86)\google\update\1.3.29.5\googleupdateondemand.exe
file	c:\program files (x86)\universal extractor\bin\arc.exe
file	c:\program files (x86)\common files\microsoft shared\office12\acecnflt.exe
file	c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\48.0.2564.103\48.0.2564.103_chrome_installer.exe
file	c:\windows\sysnative\dllhost.exe
file	c:\program files\mpc-hc\mpc-hc64.exe
file	c:\program files\oracle\virtualbox guest additions\vboxdrvinst.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\javacpl.exe
file	c:\mctrlc\bin\loader_x64.exe
file	c:\program files (x86)\google\update\1.3.29.5\googleupdatesetup.exe
file	c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
file	c:\program files\sandboxie\sandboxierpcss.exe
file	c:\windows\syswow64\perfhost.exe
file	c:\mctrlc\bin\fonqwrug.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\servertool.exe
file	c:\program files (x86)\common files\microsoft shared\phone tools\12.0\debugger\target\x86\vsgraphicsremoteengine.exe
file	c:\program files (x86)\notepad++\nppiexplorershell.exe
file	c:\windows\sysnative\msiexec.exe
file	c:\program files (x86)\mozilla firefox\updater.exe
file	c:\program files\oracle\virtualbox guest additions\vboxcontrol.exe
file	c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe
file	c:\program files\sandboxie\sandboxiewuau.exe
file	c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\klist.exe
file	c:\mctrlc\bin\qycwonn.exe
file	c:\program files (x86)\adobe\reader 9.0\reader\acrobroker.exe
file	c:\program files (x86)\google\chrome\application\48.0.2564.103\installer\setup.exe
file	c:\nidguu\bin\rhfutcc.exe
file	c:\program files (x86)\safer networking\filealyzer 2\unins000.exe
file	c:\program files (x86)\common files\microsoft shared\office12\mse7.exe
file	c:\program files (x86)\adobe\reader 9.0\reader\acrord32.exe
file	c:\bevevnhfi\bin\loader_x64.exe
file	c:\program files (x86)\common files\microsoft shared\dw\dwtrig20.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\jp2launcher.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\jabswitch.exe
file	c:\program files (x86)\common files\microsoft shared\msinfo\oinfop12.exe
file	c:\program files (x86)\mozilla firefox\plugin-container.exe
file	c:\program files (x86)\notepad++\notepad++.exe
file	c:\bevevnhfi\bin\fqwmjdsb.exe
file	c:\program files (x86)\common files\adobe\updater6\adobe_updater.exe
file	c:\program files (x86)\common files\java\java update\jaureg.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\rmiregistry.exe
file	c:\windows\sysnative\vds.exe
file	c:\program files (x86)\google\chrome\application\48.0.2564.103\nacl64.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe
file	c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe
file	c:\program files\7-zip\7zg.exe
file	c:\program files (x86)\mozilla firefox\maintenanceservice.exe
file	c:\program files\sandboxie\sandboxiecrypto.exe
file	c:\program files (x86)\mozilla firefox\webapprt-stub.exe
file	c:\program files (x86)\google\chrome\application\48.0.2564.103\delegate_execute.exe
file	c:\program files (x86)\mozilla firefox\wow_helper.exe
file	c:\program files\sandboxie\sandboxiebits.exe
file	c:\windows\ehome\ehsched.exe
file	c:\program files (x86)\winpcap\rpcapd.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\unpack200.exe
file	c:\program files\sandboxie\license.exe
file	c:\windows\sysnative\fxssvc.exe
file	c:\windows\sysnative\snmptrap.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\policytool.exe
file	c:\mctrlc\bin\loader.exe
file	c:\program files (x86)\google\update\googleupdate.exe
file	c:\program files\sandboxie\sandboxiedcomlaunch.exe
file	c:\nidguu\bin\loader.exe
file	c:\program files (x86)\adobe\reader 9.0\reader\eula.exe
file	c:\program files (x86)\java\jre1.8.0_91\bin\java.exe
file	c:\program files (x86)\common files\java\java update\jucheck.exe

Data Obfuscation

Drops a binary and executes it Show sources

file_dropped	C:\Windows\SysWOW64\perfhost.exe
file_dropped	C:\Windows\sysnative\msiexec.exe
file_dropped	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
file_dropped	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
file_dropped	C:\Windows\ehome\ehrecvr.exe
file_dropped	C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
file_dropped	C:\Windows\sysnative\alg.exe
file_dropped	C:\Windows\ehome\ehsched.exe
file_dropped	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
file_dropped	C:\Program Files (x86)\WinPcap\rpcapd.exe
file_dropped	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
file_dropped	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
file_dropped	C:\Windows\sysnative\Locator.exe
file_dropped	C:\Windows\sysnative\FXSSVC.exe
file_dropped	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
file_dropped	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
file_dropped	C:\Windows\sysnative\msdtc.exe
file_dropped	C:\Windows\sysnative\dllhost.exe
file_dropped	C:\Windows\sysnative\snmptrap.exe

Operating System Destruction

At least one process apparently crashed during execution Show sources

api_dll_loaded

faultrep.dll

Malware Analysis System Evasion

Possible date expiration check, exits too soon after checking local time Show sources

api_process_name

mscorsvw.exe, PID 2744

Attempts to identify installed analysis tools by a known file location Show sources

file_query

C:\Program Files (x86)\Fiddler2\*

A process attempted to delay the analysis task by a long amount of time. Show sources

api_process_name	ehrecvr.exe tried to sleep 422 seconds, actually delayed analysis time by 0 seconds
api_process_name	perfhost.exe tried to sleep 260 seconds, actually delayed analysis time by 0 seconds
api_process_name	ehsched.exe tried to sleep 420 seconds, actually delayed analysis time by 0 seconds
api_process_name	rpcapd.exe tried to sleep 25200 seconds, actually delayed analysis time by 0 seconds
api_process_name	svchost.exe tried to sleep 1922 seconds, actually delayed analysis time by 0 seconds

Detects VirtualBox through the presence of a file Show sources

file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxControl.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxControl.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxTray.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxTray.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWHQLFake.exe
file_query	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWHQLFake.exe

Creates a hidden or system file Show sources

file_write	C:\Users\Public\Recorded TV\TempRec\TempSBE\
file_write	C:\Users\Public\Recorded TV\TempRec\

HIPS/ PFW/ Operating System Protection Evasion

Attempts to identify installed AV products by installation directory Show sources

file_query	C:\Program Files\Sandboxie\*
file_query	C:\Program Files\Sandboxie\32\*
file_query	C:\Program Files\Sandboxie\32\SbieSvc.exe
file_query	C:\Program Files\Sandboxie\License.exe
file_query	C:\Program Files\Sandboxie\SandboxieBITS.exe
file_query	C:\Program Files\Sandboxie\SandboxieCrypto.exe
file_query	C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
file_query	C:\Program Files\Sandboxie\SandboxieRpcSs.exe
file_query	C:\Program Files\Sandboxie\SandboxieWUAU.exe
file_query	C:\Program Files\Sandboxie\SbieCtrl.exe
file_query	C:\Program Files\Sandboxie\SbieIni.exe
file_query	C:\Program Files\Sandboxie\SbieSvc.exe
file_query	C:\Program Files\Sandboxie\Start.exe

Loading...