Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
Attempts to remove evidence of file being downloaded from the Internet Show sources
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\iddbdbdv\cafadrev.exe:Zone.Identifier |
Attempts to connect to a dead IP:Port (1 unique times) Show sources
| network_host_ip | 23.67.250.184:80 (United States) |
HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources
| network_anomaly | HTTP traffic contains a POST request with no referer header |
| network_anomaly | http://connectionfailed.bit/ |
Performs some HTTP requests Show sources
| network_url | http://www.msftncsi.com/ncsi.txt |
| network_url | http://connectionfailed.bit/ |
The binary likely contains encrypted or compressed data. Show sources
| packer_section | name: .rsrc, entropy: 7.19, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0001c600, virtual_size: 0x0001c52a |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Deletes its original binary from disk Show sources
| file_delete | c:\users\user\appdata\local\temp\9f75d272645b1dbcb6fb63f60ab7873982f13c08.exe |
Installs itself for autorun at Windows startup Show sources
| file | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iddbdbdv.lnk |
| file_write | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iddbdbdv.lnk |
Creates a copy of itself Show sources
| file | C:\Users\user\AppData\Roaming\Microsoft\Windows\iddbdbdv\cafadrev.exe |
Detects Sandboxie through the presence of a library Show sources
| file_query | sbiedll |
Checks the presence of disk drives in the registry, possibly for anti-virtualization Show sources
| registry_query | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 |
Creates a hidden or system file Show sources
| file_write | C:\Users\user\AppData\Roaming\Microsoft\Windows\iddbdbdv\cafadrev.exe |
| file_write | C:\Users\user\AppData\Roaming\Microsoft\Windows\iddbdbdv |