dynamic analysis report - VMRay

DYNAMIC ANALYSIS REPORT#1525030

MALICIOUS

Classifications: -

Threat Names:

C2/Generic-A Trojan.GenericKD.44048038

Gen:Variant.Razy.590558

Verdict Reason: -

Sample Type Windows Exe (x86-32)

Sample Name file.exe

ID #563495

MD5 ab53cd13ca703591193702730cd94ba2

SHA1 68b4b5aa7974c68dce30ce3e6cdf93951349818b

SHA256 14ba94a3d2b3a62280bdddddb5c9b1bb156c5278a4070137b9fe49fafa8c9d5b

File Size 21.65 KB

Report Created 2021-05-28 10:21 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 22


OVERVIEW

VMRay Threat Identifiers (4 rules, 8 matches)

Score Category Operation Count Classification

4/5 Anti Analysis Tries to evade analysis 1 -

(Process #1) file.exe is possibly trying to evade analysis via web time checks.•

4/5 Antivirus Malicious content was detected by heuristic scan 5 -

Built-in AV detected the sample itself as "Trojan.GenericKD.44048038".

Built-in AV detected "Trojan.GenericKD.44048038" in the PCAP of the analysis.

Built-in AV detected "Trojan.GenericKD.44048038" in the request data of URL "www.virustotal.com/vtapi/v2/file/scan".

Built-in AV detected a memory dump of (process #1) file.exe as "Gen:Variant.Razy.590558".

Built-in AV detected a memory dump of (process #1) file.exe as "Trojan.GenericKD.44048038".

•

•

•

•

•

4/5 Reputation Contacts known malicious URL 1 -

Reputation analysis labels the URL "a6281279.yolox.net/gate.php" which was contacted by (process #1) file.exe as "C2/Generic-A".•

1/5 Discovery Enumerates running processes 1 -

(Process #1) file.exe enumerates running processes.•

- Trusted File has embedded known clean URL 13 -

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\k8jxac1q.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\78caa1vi.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\cm04e9iu.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\tae4d3wz.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\z0o08u2a.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\u61xjywr.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\8e2iig3a.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ilqnx3tn.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ga8jvvlq.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\8p7re3r8.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\to8c1znp.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\a3ecrrfh.htm" is a known clean URL.

URL "https://translate.google.de/?hl=de" embedded in file "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ajx0k1dk.htm" is a known clean URL.

•

•

•

•

•

•

•

•

•

•

•

•

•

Remarks

Anti-Sleep Triggered (0x0200000E): The overall sleep time of all monitored processes was truncated from "47 seconds" to "47.0 milliseconds" to reveal dormant functionality.



Mitre ATT&CK Matrix

InitialAccess

Execution PersistencePrivilege

EscalationDefenseEvasion

CredentialAccess

DiscoveryLateral

MovementCollection

Commandand

ControlExfiltration Impact

- - - - - -#T1057Process

Discovery- - - - -



Sample Information

Analysis Information

ID 1525030

MD5 ab53cd13ca703591193702730cd94ba2

SHA1 68b4b5aa7974c68dce30ce3e6cdf93951349818b

SHA256 14ba94a3d2b3a62280bdddddb5c9b1bb156c5278a4070137b9fe49fafa8c9d5b

SSDeep 384:bx02c+NiNMhaS9MySYitL93lppji83C8ARDr3QfTQkNEExIstAv3ATefCiigrcLR:62XiNCR9MLYWi8JsOOstAv3ATec460tK

ImpHash 1dddd34c0901a22f800f486f6751a070

Filename file.exe

File Size 21.65 KB

Sample Type Windows Exe (x86-32)

Has Macros

Creation Time 2021-05-28 10:21 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 1

Execution Successfull False

Reputation Analysis Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 30

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0





NETWORK

General

DNS

HTTP/S

DNS Requests

-

HTTP Requests

Method URL Dest. IP Dest. Port Status Code Response Size Verdict

7758.09 KB total sent

223.05 KB total received

1 ports 80

3 contacted IP addresses

54 URLs extracted

0 files downloaded

0 malicious hosts detected

0 DNS requests for 0 domains

0 nameservers contacted

0 total requests returned errors

3 URLs contacted, 3 servers

4 sessions, 7758.09 KB sent, 223.05 KB recivied

GET google.com/ 0 bytes N/A

POSTwww.virustotal.com/vtapi/v2/file/scan

0 bytes N/A

POSTa6281279.yolox.net/gate.php

0 bytes N/A

GET

https://about.google/?fg=1&utm_source=google-DE&utm_medium=referral&utm_campaign=hp-header

0 bytes N/A

GET

https://store.google.com/DE?utm_source=hp_header&utm_medium=google_ooo&utm_campaign=GS100042&hl=de-DE

0 bytes N/A

GEThttps://mail.google.com/mail/&ogbl

0 bytes N/A

GEThttps://www.google.de/imghp?hl=de&ogbl

0 bytes N/A

GEThttps://www.google.de/intl/de/about/products

0 bytes N/A




GET

https://accounts.google.com/ServiceLogin?hl=de&passive=true&continue=https://www.google.com/%3Fgws_rd%3Dssl&ec=GAZAmgQ

0 bytes N/A

GET

https://support.google.com/websearch/answer/106230?hl=de

0 bytes N/A

GET

https://www.google.com/intl/de_de/ads/?subid=ww-ww-et-g-awa-a-g_hpafoot1_1!o2&utm_source=google.com&utm_medium=referral&utm_campaign=google_hpafooter&fg=1

0 bytes N/A

GET

https://www.google.com/services/?subid=ww-ww-et-g-awa-a-g_hpbfoot1_1!o2&utm_source=google.com&utm_medium=referral&utm_campaign=google_hpbfooter&fg=1

0 bytes N/A

GEThttps://google.com/search/howsearchworks/?fg=1

0 bytes N/A

GET

https://sustainability.google/intl/de/commitments-europe/?utm_source=googlehpfooter&utm_medium=housepromos&utm_campaign=bottom-footer&utm_content=

0 bytes N/A

GEThttps://policies.google.com/privacy?hl=de&fg=1

0 bytes N/A

GEThttps://policies.google.com/terms?hl=de&fg=1

0 bytes N/A

GEThttps://www.google.com/preferences?hl=de&fg=1

0 bytes N/A

GET

https://support.google.com/websearch/?p=ws_results_help&hl=de&fg=1

0 bytes N/A

GET

https://policies.google.com/technologies/cookies?utm_source=ucbs&hl=de

0 bytes N/A

GET

https://policies.google.com/privacy?hl=de&fg=1&utm_source=ucbs

0 bytes N/A

GET

https://policies.google.com/terms?hl=de&fg=1&utm_source=ucbs

0 bytes N/A

GET

https://myaccount.google.com/?utm_source=OGB&utm_medium=app

0 bytes N/A

GEThttps://www.google.de/webhp

0 bytes N/A

GEThttps://maps.google.de/maps?hl=de

0 bytes N/A




GEThttps://www.youtube.com/?gl=DE

0 bytes N/A

GEThttps://play.google.com/?hl=de

0 bytes N/A

GEThttps://news.google.com/

0 bytes N/A

GEThttps://mail.google.com/mail/

0 bytes N/A

GEThttps://meet.google.com/?hs=197

0 bytes N/A

GET https://chat.google.com/ 0 bytes N/A

GEThttps://contacts.google.com/?hl=de

0 bytes N/A

GET https://drive.google.com/ 0 bytes N/A

GEThttps://calendar.google.com/calendar

0 bytes N/A

GEThttps://translate.google.de/?hl=de

0 bytes N/A

GEThttps://photos.google.com/?pageId=none

0 bytes N/A

GEThttps://duo.google.com/?usp=duo_ald

0 bytes N/A

GET

https://www.google.com/chrome/?brand=CHZO&utm_source=google.com&utm_medium=desktop-app-launcher&utm_campaign=desktop-app-launcher&utm_content=chrome-logo&utm_keyword=CHZO

0 bytes N/A

GEThttps://www.google.de/shopping?hl=de&source=og

0 bytes N/A

GEThttps://docs.google.com/document/?usp=docs_alc

0 bytes N/A

GEThttps://docs.google.com/spreadsheets/?usp=sheets_alc

0 bytes N/A

GEThttps://docs.google.com/presentation/?usp=slides_alc

0 bytes N/A

GEThttps://books.google.de/?hl=de

0 bytes N/A

GEThttps://www.blogger.com/

0 bytes N/A

GEThttps://hangouts.google.com/

0 bytes N/A

GET https://keep.google.com/ 0 bytes N/A

GEThttps://jamboard.google.com/?usp=jam_ald

0 bytes N/A

GEThttps://earth.google.com/web/

0 bytes N/A




GEThttps://www.google.de/save

0 bytes N/A

GET

https://artsandculture.google.com/?hl=de&utm_source=ogs.google.com&utm_medium=referral

0 bytes N/A

GET

https://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1!o2

0 bytes N/A

GEThttps://podcasts.google.com/

0 bytes N/A

GEThttps://stadia.google.com/

0 bytes N/A

GEThttps://www.google.com/travel/?dest_src=al

0 bytes N/A

GEThttps://docs.google.com/forms/?usp=forms_alc

0 bytes N/A

GET

https://www.google.com/url?q=https://www.google.com/chrome/%3Fbrand%3DCHZN%26utm_source%3Dde-material-callout%26utm_medium%3Dmaterial-callout%26utm_campaign%3Dedge-search-switch-fast-chrome&source=hpp&id=19020306&ct=7&usg=AFQjCNHchfSnDi67U0c9WQ2wuGhJ9oj24w

0 bytes N/A

GET

https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_84x28dp.png

0 bytes N/A

GET

https://www.google.com/images/hpp/Chrome_Owned_96x96.png

0 bytes N/A



BEHAVIOR

Process Graph

Sample Start#1

file.exe



Process #1: file.exe

Dropped Files (13)

Filename File Size SHA256 YARA Match

Host Behavior

Type Count

ID 1

Filename c:\users\rdhj0cnfevzx\desktop\file.exe

Command Line "C:\Users\RDhJ0CNFevzX\Desktop\file.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 77461, Reason: Analysis Target

Unmonitor End Time End Time: 318407, Reason: Terminated by Timeout

Monitor Duration 240.95s

Return Code Unknown

PID 3896

Parent PID 2104

Bitness 32 Bit

- 155.90 KB4bab15fab44cd2177975ce078921cba2c2f643aa1cafddde7c15f1f7a3cd9fb3

- 156.09 KB49e3dde1f0e513cc425e3ebb55c47801d8275c27336686b882297fd322b06936

- 157.71 KB56a633df2cad6d3f85c4756e25cc1664c27bdd67c0320a64f6ce32099bd61589

- 156.00 KBa411d6536b79bccf52a7692976f3192f4564b176704c83ea9f343e6a48ae76b0

- 155.91 KBb5b55cab3f88c4d60614a46ea4507048300b5da7ebb97d79fd64a8a5c069b867

- 155.97 KB9d72ec7239c38f6869f8e7c0bbf213b14e471495f1be302389e2333901b73597

- 155.89 KBb32f9cd25c5b15f6272ecfa234629e68018430947beee036d3b97e2f8b5005ae

- 155.94 KBf6e01557696b65a6ad0db672334c8b4c900a87040e41724f3480954a4a2801e5

- 155.91 KB775234e6d8150c4f86c6fda62410977e9499bb00c892d0260b37dd48d426cd06

- 157.08 KB7b6eb0f4115031d5cf8782d456efdd1a28c038118739adda6ab35e321b43f95d

- 155.91 KBf5d96f3c5d3a170090f5267d40d8ca7f0414256e18774416dc7c84fb25354bcc

- 157.50 KBae9b31bfba74a3803517a3eb99a1ca5d2f7bd98778b047c941edb93aa8eb8b0d

- 155.93 KB9f47e73d3fd2137d0a7758e78f7c0dd86e1e597e5d1d12d58f1f725f6d83ca05

Module 1459

File 39

System 795

Process 2661

User 26



Network Behavior

Type Count

HTTP 28

TCP 4



ARTIFACTS

File

SHA256 Filenames Category Filesize MIME Type Operations Verdict

14ba94a3d2b3a62280bdddddb5c9b1bb156c5278a4070137b9fe49fafa8c9d5b

C:\Users\RDhJ0CNFevzX\Desktop\file.exe

Sample File 21.65 KBapplication/vnd.microsoft.portable-executable

MALICIOUS

c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat

Modified File 128 bytes application/octet-stream CLEAN

4bab15fab44cd2177975ce078921cba2c2f643aa1cafddde7c15f1f7a3cd9fb3

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\k8jxac1q.htm

Dropped File 155.90 KB text/html CLEAN

49e3dde1f0e513cc425e3ebb55c47801d8275c27336686b882297fd322b06936

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\78caa1vi.htm


56a633df2cad6d3f85c4756e25cc1664c27bdd67c0320a64f6ce32099bd61589

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\cm04e9iu.htm


a411d6536b79bccf52a7692976f3192f4564b176704c83ea9f343e6a48ae76b0

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\tae4d3wz.htm


b5b55cab3f88c4d60614a46ea4507048300b5da7ebb97d79fd64a8a5c069b867

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\z0o08u2a.htm


9d72ec7239c38f6869f8e7c0bbf213b14e471495f1be302389e2333901b73597

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\u61xjywr.htm


b32f9cd25c5b15f6272ecfa234629e68018430947beee036d3b97e2f8b5005ae

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\8e2iig3a.htm


f6e01557696b65a6ad0db672334c8b4c900a87040e41724f3480954a4a2801e5

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ilqnx3tn.htm


775234e6d8150c4f86c6fda62410977e9499bb00c892d0260b37dd48d426cd06

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ga8jvvlq.htm


7b6eb0f4115031d5cf8782d456efdd1a28c038118739adda6ab35e321b43f95d

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\8p7re3r8.htm


f5d96f3c5d3a170090f5267d40d8ca7f0414256e18774416dc7c84fb25354bcc

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\to8c1znp.htm


ae9b31bfba74a3803517a3eb99a1ca5d2f7bd98778b047c941edb93aa8eb8b0d

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\a3ecrrfh.htm




SHA256 Filenames Category Filesize MIME Type Operations Verdict

Filename

Filename Category Operations Verdict

9f47e73d3fd2137d0a7758e78f7c0dd86e1e597e5d1d12d58f1f725f6d83ca05

c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\bls4z131\ajx0k1dk.htm


C:\Users\RDhJ0CNFevzX\Desktop\file.exe Accessed File Read, Access CLEAN

C:\Windows\System32\sihost.exe Accessed File Access CLEAN

C:\Windows\System32\taskhostw.exe Accessed File Access CLEAN

C:\Windows\explorer.exe Accessed File Access CLEAN

C:\Windows\System32\RuntimeBroker.exe Accessed File Access CLEAN

C:\ProgramFiles\WindowsApps\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\SkypeHost.exe

Accessed File Access CLEAN

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe


C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe


C:\Windows\System32\svchost.exe Accessed File Access CLEAN

C:\Windows\System32\backgroundTaskHost.exe


C:\Program Files\InternetExplorer\iexplore.exe


C:\Program Files (x86)\InternetExplorer\iexplore.exe


C:\Program Files\Windows Photo Viewer\keycivil.exe


C:\Program Files\Windows PortableDevices\choice.exe


C:\Program Files\WindowsMail\major_simply_so.exe


C:\Program Files\WindowsMail\determinen't.exe


C:\Program Files (x86)\CommonFiles\shoulder-prepare-sure.exe


C:\Program Files (x86)\ReferenceAssemblies\ipull.exe


C:\Program Files (x86)\Windows Mail\not.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows NT\task.exe Accessed File Access CLEAN

C:\Program Files (x86)\InternetExplorer\personal.exe


C:\Program Files(x86)\WindowsPowerShell\grow createletter.exe


C:\Program Files (x86)\WindowsMail\sit_scene_another.exe


C:\Program Files\UninstallInformation\drug.exe


C:\Program Files\Windows PhotoViewer\difficult_these_medical.exe





C:\Program Files (x86)\WindowsDefender\seat.exe


C:\Program Files (x86)\InternetExplorer\servefearrisk.exe


C:\Program Files (x86)\Microsoft Office\laughsingle.exe


C:\Program Files (x86)\CommonFiles\kind.exe


C:\Program Files (x86)\Windows MultimediaPlatform\evidence-bit.exe


C:\Program Files\ReferenceAssemblies\indicate_foot.exe


C:\Program Files\UninstallInformation\childoutwork.exe


C:\Program Files(x86)\Microsoft.NET\near_industry.exe


C:\Program Files\Windows Mail\fpos.exe Accessed File Access CLEAN

C:\Program Files\Common Files\isspos.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows PhotoViewer\edcsvr.exe


C:\ProgramFiles\WindowsPowerShell\mxslipstream.exe


C:\Program Files\Windows PortableDevices\omnipos.exe


C:\Program Files (x86)\WindowsNT\spcwin.exe


C:\Program Files (x86)\Windows PortableDevices\spgagentservice.exe


C:\Program Files\Windows Sidebar\utg2.exe Accessed File Access CLEAN

C:\Program Files(x86)\MSBuild\creditservice.exe


C:\Program Files (x86)\ReferenceAssemblies\active-charge.exe


C:\Program Files (x86)\CommonFiles\yahoomessenger.exe


C:\Program Files\WindowsJournal\webdrive.exe


C:\Program Files\Windows PhotoViewer\whatsapp.exe


C:\Program Files\Windows NT\winscp.exe Accessed File Access CLEAN

C:\Program Files\Windows MultimediaPlatform\thunderbird.exe


C:\Program Files\WindowsSidebar\trillian.exe


C:\Program Files (x86)\Windows PhotoViewer\skype.exe


C:\Program Files (x86)\WindowsDefender\smartftp.exe


C:\Program Files\Windows PhotoViewer\pidgin.exe


C:\Program Files (x86)\WindowsDefender\scriptftp.exe


C:\Program Files (x86)\Windows PortableDevices\accupos.exe





URL

URL Category IP Address Country HTTP Methods Verdict

C:\Program Files\ReferenceAssemblies\afr38.exe


C:\Program Files (x86)\Windows MediaPlayer\aldelo.exe


C:\Program Files\MSBuild\ccv_server.exe Accessed File Access CLEAN

C:\Program Files\WindowsMail\centralcreditcard.exe


C:\Program Files\ReferenceAssemblies\outlook.exe


C:\Program Files\WindowsDefender\operamail.exe


C:\Program Files\MSBuild\ncftp.exe Accessed File Access CLEAN

C:\Program Files\WindowsJournal\notepad.exe


C:\Program Files\Windows Defender\icq.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows PhotoViewer\leechftp.exe


C:\Program Files (x86)\Windows MediaPlayer\foxmailincmail.exe


C:\Program Files\WindowsMail\gmailnotifierpro.exe


C:\Program Files(x86)\Microsoft.NET\flashfxp.exe


C:\Program Files\MSBuild\fling.exe Accessed File Access CLEAN

C:\Program Files (x86)\Windows PhotoViewer\far.exe


C:\Program Files\Windows NT\filezilla.exe Accessed File Access CLEAN

C:\Program Files\MSBuild\coreftp.exe Accessed File Access CLEAN

C:\Program Files (x86)\MicrosoftOffice\bitkinex.exe


C:\Program Files (x86)\WindowsMail\barca.exe


C:\Program Files\Common Files\alftp.exe Accessed File Access CLEAN

C:\Program Files\Microsoft Office15\absolutetelnet.exe


C:\Program Files\Windows MediaPlayer\3dftp.exe


C:\Windows\System32\msfeedssync.exe Accessed File Access CLEAN

http://a6281279.yolox.net/gate.php

POST MALICIOUS

http://google.com 142.250.181.238 GET CLEAN

http://www.virustotal.com/vtapi/v2/file/scan

74.125.34.46 POST CLEAN

https://about.google/?fg=1&utm_source=google-DE&utm_medium=referral&utm_campaign=hp-header

GET CLEAN




https://store.google.com/DE?utm_source=hp_header&utm_medium=google_ooo&utm_campaign=GS100042&hl=de-DE

GET CLEAN

https://mail.google.com/mail/&ogbl

GET CLEAN

https://www.google.de/imghp?hl=de&ogbl

GET CLEAN

https://www.google.de/intl/de/about/products

GET CLEAN

https://accounts.google.com/ServiceLogin?hl=de&passive=true&continue=https://www.google.com/%3Fgws_rd%3Dssl&ec=GAZAmgQ

GET CLEAN

https://support.google.com/websearch/answer/106230?hl=de

GET CLEAN

https://www.google.com/intl/de_de/ads/?subid=ww-ww-et-g-awa-a-g_hpafoot1_1!o2&utm_source=google.com&utm_medium=referral&utm_campaign=google_hpafooter&fg=1

GET CLEAN

https://www.google.com/services/?subid=ww-ww-et-g-awa-a-g_hpbfoot1_1!o2&utm_source=google.com&utm_medium=referral&utm_campaign=google_hpbfooter&fg=1

GET CLEAN

https://google.com/search/howsearchworks/?fg=1

GET CLEAN

https://sustainability.google/intl/de/commitments-europe/?utm_source=googlehpfooter&utm_medium=housepromos&utm_campaign=bottom-footer&utm_content=

GET CLEAN

https://policies.google.com/privacy?hl=de&fg=1

GET CLEAN

https://policies.google.com/terms?hl=de&fg=1

GET CLEAN

https://www.google.com/preferences?hl=de&fg=1

GET CLEAN

https://support.google.com/websearch/?p=ws_results_help&hl=de&fg=1

GET CLEAN

https://policies.google.com/technologies/cookies?utm_source=ucbs&hl=de

GET CLEAN

https://policies.google.com/privacy?hl=de&fg=1&utm_source=ucbs

GET CLEAN

https://policies.google.com/terms?hl=de&fg=1&utm_source=ucbs

GET CLEAN

https://myaccount.google.com/?utm_source=OGB&utm_medium=app

GET CLEAN

https://www.google.de/webhp GET CLEAN

https://maps.google.de/maps?hl=de

GET CLEAN




https://www.youtube.com/?gl=DE

GET CLEAN

https://play.google.com/?hl=de

GET CLEAN

https://news.google.com GET CLEAN

https://mail.google.com/mail/ GET CLEAN

https://meet.google.com/?hs=197

GET CLEAN

https://chat.google.com GET CLEAN

https://contacts.google.com/?hl=de

GET CLEAN

https://drive.google.com GET CLEAN

https://calendar.google.com/calendar

GET CLEAN

https://translate.google.de/?hl=de

GET CLEAN

https://photos.google.com/?pageId=none

GET CLEAN

https://duo.google.com/?usp=duo_ald

GET CLEAN

https://www.google.com/chrome/?brand=CHZO&utm_source=google.com&utm_medium=desktop-app-launcher&utm_campaign=desktop-app-launcher&utm_content=chrome-logo&utm_keyword=CHZO

GET CLEAN

https://www.google.de/shopping?hl=de&source=og

GET CLEAN

https://docs.google.com/document/?usp=docs_alc

GET CLEAN

https://docs.google.com/spreadsheets/?usp=sheets_alc

GET CLEAN

https://docs.google.com/presentation/?usp=slides_alc

GET CLEAN

https://books.google.de/?hl=de

GET CLEAN

https://www.blogger.com GET CLEAN

https://hangouts.google.com GET CLEAN

https://keep.google.com GET CLEAN

https://jamboard.google.com/?usp=jam_ald

GET CLEAN

https://earth.google.com/web/

GET CLEAN

https://www.google.de/save GET CLEAN

https://artsandculture.google.com/?hl=de&utm_source=ogs.google.com&utm_medium=referral

GET CLEAN

https://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1!o2

GET CLEAN




Domain

Domain IP Address Country Protocols Verdict

https://podcasts.google.com GET CLEAN

https://stadia.google.com GET CLEAN

https://www.google.com/travel/?dest_src=al

GET CLEAN

https://docs.google.com/forms/?usp=forms_alc

GET CLEAN

https://www.google.com/chrome/?brand=CHZN&utm_source=de-material-callout&utm_medium=material-callout&utm_campaign=edge-search-switch-fast-chrome

GET CLEAN

https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_84x28dp.png

GET CLEAN

https://www.google.com/images/hpp/Chrome_Owned_96x96.png

GET CLEAN

google.com 142.250.181.238 HTTP, HTTPS CLEAN

www.google.com HTTPS CLEAN

www.virustotal.com 74.125.34.46 HTTP CLEAN

a6281279.yolox.net HTTP CLEAN

about.google HTTPS CLEAN

store.google.com HTTPS CLEAN

mail.google.com HTTPS CLEAN

www.google.de HTTPS CLEAN

accounts.google.com HTTPS CLEAN

support.google.com HTTPS CLEAN

sustainability.google HTTPS CLEAN

policies.google.com HTTPS CLEAN

myaccount.google.com HTTPS CLEAN

maps.google.de HTTPS CLEAN

www.youtube.com HTTPS CLEAN

play.google.com HTTPS CLEAN

news.google.com HTTPS CLEAN

meet.google.com HTTPS CLEAN

chat.google.com HTTPS CLEAN

contacts.google.com HTTPS CLEAN

drive.google.com HTTPS CLEAN

calendar.google.com HTTPS CLEAN



Domain IP Address Country Protocols Verdict

IP

IP Address Domains Country Protocols Verdict

Email

-

Email Address

-

Mutex

-

Registry

-

Process

Process Name Commandline Verdict

translate.google.de HTTPS CLEAN

photos.google.com HTTPS CLEAN

duo.google.com HTTPS CLEAN

docs.google.com HTTPS CLEAN

books.google.de HTTPS CLEAN

www.blogger.com HTTPS CLEAN

hangouts.google.com HTTPS CLEAN

keep.google.com HTTPS CLEAN

jamboard.google.com HTTPS CLEAN

earth.google.com HTTPS CLEAN

artsandculture.google.com HTTPS CLEAN

ads.google.com HTTPS CLEAN

podcasts.google.com HTTPS CLEAN

stadia.google.com HTTPS CLEAN

www.gstatic.com HTTPS CLEAN

172.217.18.100 www.google.com United States HTTP, HTTPS, TCP, DNS CLEAN

74.125.34.46www.virustotal.com, ghs-svc-https-c46.ghs-ssl.googlehosted.com

United States HTTP, TCP, DNS CLEAN

142.250.181.238 google.com United States HTTP, TCP, DNS CLEAN

file.exe "C:\Users\RDhJ0CNFevzX\Desktop\file.exe" SUSPICIOUS



YARA / AV

Antivirus (30)

File Type Threat Name Filename Verdict

SAMPLE Trojan.GenericKD.44048038 C:\Users\RDhJ0CNFevzX\Desktop\file.exe MALICIOUS

WEB_REQUEST Trojan.GenericKD.44048038 - MALICIOUS

WEB_REQUEST Trojan.GenericKD.44048038 - MALICIOUS

MEMORY_DUMP Gen:Variant.Razy.590558 - MALICIOUS

MEMORY_DUMP Trojan.GenericKD.44048038 - MALICIOUS

























MEMORY_DUMP Gen:Variant.Razy.590558 - MALICIOUS



ENVIRONMENT

Virtual Machine Information

Analyzer Information

Software Information

Name win10_64_th2_en_mso2016

Description win10_64_th2_en_mso2016

Architecture x86 64-bit

Operating System Windows 10 Threshold 2

Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)

Network Scheme Name Local Gateway

Network Config Name Local Gateway

Analyzer Version 4.1.1

Dynamic Engine Version 4.1.1 / 02/08/2021 15:19

Static Engine Version 1.6.0

Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)

Built-in AV Database UpdateRelease Date

2021-05-28 05:53:31+00:00

VTI Ruleset Version 3.8

YARA Built-in Ruleset Version 1.5

Analysis Report Layout Version 10

Adobe Acrobat Reader Version Not installed

Microsoft Office 2016

Microsoft Office Version 16.0.4266.1003

Internet Explorer Version 11.0.10586.0

Chrome Version Not installed

Firefox Version Not installed

Flash Version Not installed

Java Version Not installed


Documents

dynamic analysis report - VMRay