MALICIOUS
Classifications: Injector
Threat Names: Mal/Generic-S Trojan.Dropper.Delf.BEE Verdict Reason: -
Sample Type Windows Exe (x86-32)
File Name e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65.exe
ID #975816
MD5 7382ef4868f862c8f935f17b37c92664
SHA1 cf00273d43b2e18bc87e79c4e746cecf2bd12664
SHA256 e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65
File Size 132.00 KB
Report Created 2021-09-30 17:58 (UTC+2)
Target Environment win7_64_sp1_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 18
OVERVIEW
VMRay Threat Identifiers (15 rules, 21 matches)
Score Category Operation Count Classification
4/5 Injection Writes into the memory of another process 1 Injector
(Process #3) system64.exe modifies memory of (process #4) userinit.exe.
•
4/5 Injection Modifies control flow of another process 1 -
(Process #3) system64.exe alters context of (process #4) userinit.exe.
•
4/5 Reputation Known malicious file 1 -
Reputation analysis labels the sample itself as "Mal/Generic-S".
•
4/5 Antivirus Malicious content was detected by heuristic scan 4 -
Built-in AV detected a embedded file as "Trojan.Dropper.Delf.BEE".
Built-in AV detected the embedded file svchost.exe as "Trojan.Dropper.Delf.BEE".
Built-in AV detected the sample itself as "Trojan.Dropper.Delf.BEE".
Built-in AV detected a memory dump of (process #1) e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65.exe as "Trojan.Dropper.Delf.BEE".
•
•
•
•
2/5 Hide Tracks Deletes file after execution 1 -
(Process #1) e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65.exe deletes executed executable "c:
\users\keecfmwgj\appdata\local\temp\ixp000.tmp\svchost.exe".
•
1/5 Persistence Installs system startup script or application 1 -
(Process #1) e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65.exe adds "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:
\Users\KEECFM~1\AppData\Local\Temp\IXP000.TMP\"" to Windows startup via registry.
•
1/5 Hide Tracks Creates process with hidden window 3 -
(Process #1) e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65.exe starts (process #2) svchost.exe with a hidden window.
(Process #2) svchost.exe starts (process #3) system64.exe with a hidden window.
(Process #3) system64.exe starts (process #4) userinit.exe with a hidden window.
•
•
•
1/5 System Modification Modifies operating system directory 1 -
(Process #2) svchost.exe creates file "C:\Windows\system32\System64.exe" in the OS directory.
•
1/5 Discovery Enumerates running processes 1 -
(Process #3) system64.exe enumerates running processes.
•
1/5 Obfuscation Reads from memory of another process 1 -
(Process #3) system64.exe reads from (process #4) userinit.exe.
•
1/5 Obfuscation Creates a page with write and execute permissions 1 -
(Process #3) system64.exe changes the protection of a page in a foreign process from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READ").
•
1/5 Execution Drops PE file 1 -
Drops file svchost.exe.
•
X-Ray Vision for Malware - www.vmray.com 2 / 18
Score Category Operation Count Classification
1/5 Execution Executes dropped PE file 1 -
Executes dropped file "svchost.exe".
•
1/5 Obfuscation Resolves API functions dynamically 2 -
(Process #2) svchost.exe resolves 200 API functions by name.
(Process #3) system64.exe resolves 216 API functions by name.
•
•
1/5 Crash A monitored process crashed 1 -
(Process #4) userinit.exe crashed.
•
X-Ray Vision for Malware - www.vmray.com 3 / 18
Mitre ATT&CK Matrix
Initial Access Execution Persistence Privilege Escalation
Defense Evasion
Credential
Access Discovery Lateral
Movement Collection Command
and Control Exfiltration Impact
#T1060 Registry Run Keys / Startup
Folder
#T1112 Modify Registry
#T1057 Process Discovery
#T1143 Hidden Window
#T1045 Software Packing
X-Ray Vision for Malware - www.vmray.com 4 / 18
Sample Information
Analysis Information
ID #975816
MD5 7382ef4868f862c8f935f17b37c92664
SHA1 cf00273d43b2e18bc87e79c4e746cecf2bd12664
SHA256 e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65
SSDeep 3072:xnj9jtfU+INndIc0JHX5oVzhTPvzVxVh/D373:xjbeinKhPvzz/
ImpHash 0ebb3c09b06b1666d307952e824c8697
File Name e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65.exe
File Size 132.00 KB
Sample Type Windows Exe (x86-32)
Has Macros
Creation Time 2021-09-30 17:58 (UTC+2)
Analysis Duration 00:00:51
Termination Reason All processes terminated
Number of Monitored Processes 4
Execution Successful False
Reputation Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 12
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 0
X-Ray Vision for Malware - www.vmray.com 5 / 18
X-Ray Vision for Malware - www.vmray.com 6 / 18
X-Ray Vision for Malware - www.vmray.com 7 / 18
NETWORK
General
DNS
HTTP/S
0 bytes total sent0 bytes total received 0 ports
0 contacted IP addresses
0 URLs extracted 0 files downloaded
0 malicious hosts detected
0 DNS requests for 0 domains 0 nameservers contacted
0 total requests returned errors
0 URLs contacted, 0 servers
0 sessions, 0 bytes sent, 0 bytes received
X-Ray Vision for Malware - www.vmray.com 8 / 18
BEHAVIOR
Process Graph
Sample Start #1
e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65.exe #2 svchost.exe
Child Process #3
system64.exe
Child Process #4
userinit.exe Modify Memory
Modify Control Flow Child Process
X-Ray Vision for Malware - www.vmray.com 9 / 18
Process #1: e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65.exe
Dropped Files (1)
File Name File Size SHA256 YARA Match
Host Behavior
Type Count
ID 1
File Name c:\users\keecfmwgj\desktop\e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65.exe Command Line "C:\Users\kEecfMwgj\Desktop\e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a65.exe"
Initial Working Directory C:\Users\kEecfMwgj\Desktop\
Monitor Start Time Start Time: 64214, Reason: Analysis Target Unmonitor End Time End Time: 100130, Reason: Terminated
Monitor duration 35.92s
Return Code 0
PID 3732
Parent PID 1096
Bitness 32 Bit
C:\Users\KEECFM~1\AppData\Local\Temp\IXP000.TMP\svchost.exe 51.23 KB dce389453c6a5f21021a723b34c4c917b53b4d64e5cb081ef3728c48ffd8 99a7
System 10
Module 6
- 1
File 18
Registry 9
Process 1
X-Ray Vision for Malware - www.vmray.com 10 / 18
Process #2: svchost.exe
Dropped Files (1)
File Name File Size SHA256 YARA Match
Host Behavior
Type Count
ID 2
File Name c:\users\keecfmwgj\appdata\local\temp\ixp000.tmp\svchost.exe Command Line C:\Users\KEECFM~1\AppData\Local\Temp\IXP000.TMP\svchost.exe
Initial Working Directory C:\Users\KEECFM~1\AppData\Local\Temp\IXP000.TMP\
Monitor Start Time Start Time: 86701, Reason: Child Process Unmonitor End Time End Time: 100130, Reason: Terminated
Monitor duration 13.43s
Return Code 0
PID 3752
Parent PID 3732
Bitness 32 Bit
C:\Windows\system32\System64.exe 51.23 KB dce389453c6a5f21021a723b34c4c917b53b4d64e5cb081ef3728c48ffd8
99a7
Module 245
Keyboard 1
System 9
File 2
Registry 4
Process 1
X-Ray Vision for Malware - www.vmray.com 11 / 18
Process #3: system64.exe
Host Behavior
Type Count
ID 3
File Name c:\windows\syswow64\system64.exe
Command Line "C:\Windows\system32\System64.exe"
Initial Working Directory C:\Users\KEECFM~1\AppData\Local\Temp\IXP000.TMP\
Monitor Start Time Start Time: 98712, Reason: Child Process Unmonitor End Time End Time: 103097, Reason: Terminated
Monitor duration 4.38s
Return Code 0
PID 3768
Parent PID 3752
Bitness 32 Bit
Module 264
Keyboard 1
System 7
File 4
Process 101
- 3
- 12
X-Ray Vision for Malware - www.vmray.com 12 / 18
Process #4: userinit.exe
Injection Information (7)
Injection Type Source Process Source / Target TID Address / Name Size Success Count
ID 4
File Name c:\windows\syswow64\userinit.exe
Command Line "C:\Windows\system32\userinit.exe"
Initial Working Directory C:\Users\KEECFM~1\AppData\Local\Temp\IXP000.TMP\
Monitor Start Time Start Time: 99250, Reason: Child Process Unmonitor End Time End Time: 106079, Reason: Crashed
Monitor duration 6.83s
Return Code 3221225477
PID 3780
Parent PID 3768
Bitness 32 Bit
Modify Memory #3: c:
\windows\syswow64\syste
m64.exe 0xebc 0x400000(4194304) 0x400 1
Modify Memory #3: c:
\windows\syswow64\syste
m64.exe 0xebc 0x401000(4198400) 0xb200 1
Modify Memory #3: c:
\windows\syswow64\syste
m64.exe 0xebc 0x41d000(4313088) 0x400 1
Modify Memory #3: c:
\windows\syswow64\syste
m64.exe 0xebc 0x41e000(4317184) 0x1200 1
Modify Memory #3: c:
\windows\syswow64\syste
m64.exe 0xebc 0x420000(4325376) 0xe7 1
Modify Memory #3: c:
\windows\syswow64\syste
m64.exe 0xebc 0x7efde008(2130567176) 0x4 1
Modify Control Flow #3: c:
\windows\syswow64\syste
m64.exe 0xebc / 0xec8 0xc8(200) - 1
X-Ray Vision for Malware - www.vmray.com 13 / 18
ARTIFACTS
File
SHA256 File Names Category File Size MIME Type Operations Verdict
Filename
File Name Category Operations Verdict
Registry
Registry Key Operations Parent Process Name Verdict
Process
Process Name Commandline Verdict
e7845b7b0a2068f5254bf8b9 d931b5366a2dcaa088da524f 846671501e3c5a65
C:
\Users\kEecfMwgj\Desktop\e7845b7b 0a2068f5254bf8b9d931b5366a2dcaa08 8da524f846671501e3c5a65.exe
Sample File 132.00 KB application/
vnd.microsoft.portable-
executable Access MALICIOUS
7d269a37fb832fc91ac37d14 830c47a38824f3c87897276b
b03938caa96ac049 - Embedded File 46.84 KB application/vnd.ms-cab-
compressed - MALICIOUS
dce389453c6a5f21021a723b 34c4c917b53b4d64e5cb081 ef3728c48ffd899a7
C:\Windows\system32\System64.exe, svchost.exe, C:
\Users\KEECFM~1\AppData\Local\Te mp\IXP000.TMP\svchost.exe, C:
\Windows\SysWOW64\System64.exe
Embedded File 51.23 KB application/
vnd.microsoft.portable- executable
Access, Write, Create,
Read, Delete MALICIOUS
C:\Users\KEECFM~1\AppData\Local\Temp\IXP000.TMP Accessed File Delete, Create, Access CLEAN
C:
\Users\KEECFM~1\AppData\Local\Temp\IXP000.TMP\TMP4351$.T
MP Accessed File Create, Access, Write CLEAN
C:\Users\KEECFM~1\AppData\Local\Temp\IXP000.TMP\ Accessed File Delete, Access CLEAN
C:\Users\KEECFM~1\AppData\Local\Temp\IXP000.TMP\svchost.exe Embedded File Delete, Create, Access,
Write CLEAN
C:
\Users\kEecfMwgj\Desktop\e7845b7b0a2068f5254bf8b9d931b5366a2
dcaa088da524f846671501e3c5a65.exe Sample File Access CLEAN
C:\Windows\system32\System64.exe Embedded File Create, Access, Write CLEAN
C:\Windows\SysWOW64\System64.exe Embedded File Read, Access CLEAN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Sessi
on Manager access e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846
671501e3c5a65.exe CLEAN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Sessi
on Manager\PendingFileRenameOperations read, access e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846
671501e3c5a65.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer
sion\RunOnce create, access e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846
671501e3c5a65.exe CLEAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer
sion\RunOnce\wextract_cleanup0 delete, read, access, write e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846
671501e3c5a65.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer
sion create, access svchost.exe CLEAN
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer
sion\WinXpMemory access, write svchost.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7880F99D-
BC3G-14DF-89AS-1190DR808E85} create, access svchost.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7880F99D-
BC3G-14DF-89AS-1190DR808E85}\StubPath access, write svchost.exe CLEAN
e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c 5a65.exe
"C:
\Users\kEecfMwgj\Desktop\e7845b7b0a2068f5254bf8b9d931b5366a2dcaa088da524f846671501e3c5a
65.exe" MALICIOUS
X-Ray Vision for Malware - www.vmray.com 14 / 18
Process Name Commandline Verdict
svchost.exe C:\Users\KEECFM~1\AppData\Local\Temp\IXP000.TMP\svchost.exe MALICIOUS
system64.exe "C:\Windows\system32\System64.exe" MALICIOUS
userinit.exe "C:\Windows\system32\userinit.exe" CLEAN
X-Ray Vision for Malware - www.vmray.com 15 / 18
YARA / AV
Antivirus (12)
File Type Threat Name File Name Verdict
Dropped File Trojan.Dropper.Delf.BEE svchost.exe MALICIOUS
Sample File Trojan.Dropper.Delf.BEE C:
\Users\kEecfMwgj\Desktop\e7845b7b0a2068f5254bf8b9d931b5366a2 dcaa088da524f846671501e3c5a65.exe
MALICIOUS
Embedded File Trojan.Dropper.Delf.BEE - MALICIOUS
Memory Dump Trojan.Dropper.Delf.BEE - MALICIOUS
Memory Dump Trojan.Dropper.Delf.BEE - MALICIOUS
Memory Dump Trojan.Dropper.Delf.BEE - MALICIOUS
Memory Dump Trojan.Dropper.Delf.BEE - MALICIOUS
Memory Dump Trojan.Dropper.Delf.BEE - MALICIOUS
Memory Dump Trojan.Dropper.Delf.BEE - MALICIOUS
Memory Dump Trojan.Dropper.Delf.BEE - MALICIOUS
Memory Dump Trojan.Dropper.Delf.BEE - MALICIOUS
Memory Dump Trojan.Dropper.Delf.BEE - MALICIOUS
X-Ray Vision for Malware - www.vmray.com 16 / 18
ENVIRONMENT
Virtual Machine Information
Platform Information
Anti Virus Information
Software Information
System Information
Name win7_64_sp1_en_mso2016
Description win7_64_sp1_en_mso2016
Architecture x86 64-bit
Operating System Windows 7
Kernel Version 6.1.7601.18741 (2e37f962-d699-492c-aaf3-f9f4e9770b1d)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Platform Version 4.3.0
Dynamic Engine Version 4.3.0 / 09/20/2021 03:59
Static Engine Version 4.3.0.0 / 2021-09-20 03:00:12
AV Exceptions Version 4.3.0.0 / 2021-09-20 03:00:12 Link Detonation Heuristics Version 4.3.0.4 / 2021-09-16 11:30:34
Signature Trust Store Version 4.3.0.0 / 2021-09-20 03:00:12
VMRay Threat Identifiers Version 4.3.1.7 / 2021-09-22 10:00:51 YARA Built-in Ruleset Version 4.3.0.5
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (March 15, 2021) Built-in AV Database Update Release
Date 2021-09-30 11:25:01+00:00
Built-in AV Database Records 10536392
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Hangul Office Not installed
Hangul Office Version Not installed
Internet Explorer Version 8.0.7601.17514
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
Sample Directory C:\Users\kEecfMwgj\Desktop
Computer Name Q9IATRKPRH
User Domain Q9IATRKPRH
X-Ray Vision for Malware - www.vmray.com 17 / 18
User Name kEecfMwgj
User Profile C:\Users\kEecfMwgj
Temp Directory C:\Users\KEECFM~1\AppData\Local\Temp
System Root C:\Windows
