Verdict
Malicious
Action
(Defined in Profile)
Prevent
Confidence
High
Secure / Risk
Critical
Classification
Backdoor, Trojan
ATTACK VECTOR
11/06/2019 14:23
127.0.0.1 
MALWARE FAMILY
Similarity Analysis
FILE LIST
| Name | Type | Verdict | Size | Context |
 2614d5a7b8ca735ac5faaac4d6cf068318756891/TVoood.exe | .exe | | 467 KB | Dropped |
| 2614d5a7b8ca735ac5faaac4d6cf068318756891/Tm.bmp |  .bmp |  | 456.19 KB | Dropped |
SUSPICIOUS ACTIVITIES
Win7, Office 2013, Adobe 11
WinXP, Office 2003/7, Adobe 9
| Category | Count | Description |
| Evasion | 1 | Observe a program that creates a new process |
| Evasion | 1 | The program calls the dynamic load function dynamically |
| Evasion | 1 | The program dynamically calls imported functions |
| Evasion | 1 | The program enumerated running processes in the system |
| Evasion | 1 | The program enumerates processes and/or modifies threads' contexts |
| Evasion | 1 | The program uses a native API call to load a DLL |
| Generic | 1 | Allocates read-write-execute memory (usually to unpack itself) |
| Generic | 1 | Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping |
| Reputation | 2 | Well known malware |
EMULATION VIDEOS
Win7, Office 2013, Adobe 11
WinXP, Office 2003/7, Adobe 9
prev
next
ADVANCED FORENSICS
Win7, Office 2013, Adobe 11 
WinXP, Office 2003/7, Adobe 9
Suspicious Activity
Dropped Files
Observes a program that writes an EXE file to the disk and executes it
| Type | Value |
| Suspicious activity | Observes a program that writes an EXE file to the disk and executes it |
Suspicious Activity
Evasion
Observe a program that creates a new process
| Type | Value |
| Suspicious activity | Observe a program that creates a new process |
Suspicious Activity
Evasion
The program calls the dynamic load function dynamically
| Type | Value |
| Suspicious activity | The program calls the dynamic load function dynamically |
Suspicious Activity
Evasion
The program dynamically calls imported functions
| Type | Value |
| Suspicious activity | The program dynamically calls imported functions |
Suspicious Activity
Evasion
The program enumerated running processes in the system
| Type | Value |
| Suspicious activity | The program enumerated running processes in the system |
Suspicious Activity
Evasion
The program enumerates processes and/or modifies threads' contexts
| Type | Value |
| Suspicious activity | The program enumerates processes and/or modifies threads' contexts |
Suspicious Activity
Evasion
The program queries a process cookie
| Type | Value |
| Suspicious activity | The program queries a process cookie |
Suspicious Activity
Evasion
The program queries information on its own process
| Type | Value |
| Suspicious activity | The program queries information on its own process |
Suspicious Activity
Evasion
The program queries its own PEB
| Type | Value |
| Suspicious activity | The program queries its own PEB |
Suspicious Activity
Evasion
The program uses a native API call to load a DLL
| Type | Value |
| Suspicious activity | The program uses a native API call to load a DLL |
Suspicious Activity
Evasion / Persistance
The program executes other programs or commands
| Type | Value |
| Suspicious activity | The program executes other programs or commands |
Suspicious Activity
File system event
Suspicious file was accessed during emulation
| Type | Value |
| Suspicious File system activity | C:\Users\admin\AppData\Local\TVoood.exe (Write) |
| Suspicious File system activity | C:\Users\admin\AppData\Local\Tm.bmp (Write) |
Suspicious Activity
Generic
A potential heapspray has been detected. 2085 megabytes was sprayed onto the heap of the 2614d5a7b8ca735ac5faaac4d6cf068318756891.exe process
| Type | Value |
| Suspicious activity | A potential heapspray has been detected. 2085 megabytes was sprayed onto the heap of the 2614d5a7b8ca735ac5faaac4d6cf068318756891.exe process |
Suspicious Activity
Generic
Allocates execute permission to another process indicative of possible code injection
| Type | Value |
| Suspicious activity | Allocates execute permission to another process indicative of possible code injection |
Suspicious Activity
Generic
Allocates read-write-execute memory (usually to unpack itself)
| Type | Value |
| Suspicious activity | Allocates read-write-execute memory (usually to unpack itself) |
Suspicious Activity
Generic
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
| Type | Value |
| Suspicious activity | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
Suspicious Activity
Generic
Creates a thread using CreateRemoteThread in a non-child process indicative of process injection
| Type | Value |
| Suspicious activity | Creates a thread using CreateRemoteThread in a non-child process indicative of process injection |
Suspicious Activity
Generic
Creates executable files on the filesystem
| Type | Value |
| Suspicious activity | Creates executable files on the filesystem |
Suspicious Activity
Generic
Generic detection methods (common)
| Type | Value |
| Suspicious activity | Generic detection methods (common) |
Suspicious Activity
Generic
Manipulates memory of a non-child process indicative of process injection
| Type | Value |
| Suspicious activity | Manipulates memory of a non-child process indicative of process injection |
Suspicious Activity
Generic
Observe a program that launches the Windows command prompt
| Type | Value |
| Suspicious activity | Observe a program that launches the Windows command prompt |
Suspicious Activity
Generic
Potential code injection by writing to the memory of another process
| Type | Value |
| Suspicious activity | Potential code injection by writing to the memory of another process |
Suspicious Activity
Generic
Remcos is a Remote Administration Tool that was released publicly. This tool can be dropped along with a ransomware.
| Type | Value |
| Suspicious activity | Remcos is a Remote Administration Tool that was released publicly. This tool can be dropped along with a ransomware. |
Suspicious Activity
Generic
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping
| Type | Value |
| Suspicious activity | Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping |
Suspicious Activity
Generic
The Injector is malware that injects malicious code into legitimate applications or to copy of itself
| Type | Value |
| Suspicious activity | The Injector is malware that injects malicious code into legitimate applications or to copy of itself |
Suspicious Activity
Generic
Tried to reads information about supported languages
| Type | Value |
| Suspicious activity | Tried to reads information about supported languages |
Suspicious Activity
Log Tampering
Observe a program that disables system error message boxes
| Type | Value |
| Suspicious activity | Observe a program that disables system error message boxes |
Suspicious Activity
Network event
Suspicious attempted network communication occurred during emulation
| Type | Value |
| Suspicious Network activity | DNS: ableyahweh.ddns.net |
Suspicious Activity
Process event
Suspicious process was launched during emulation
| Type | Value |
| Suspicious Process activity | C:\Users\admin\AppData\Local\TVoood.exe (Start ,Terminate) |
| Suspicious Process activity | C:\Windows\System32\wsmprovhost.exe (Start) |
Suspicious Activity
Registry event
Observe a program that accesses the system services registry subkey
| Type | Value |
| Suspicious activity | Observe a program that accesses the system services registry subkey |
Suspicious Activity
Registry event
Observe a program that opens the ControlSet001 subkey
| Type | Value |
| Suspicious activity | Observe a program that opens the ControlSet001 subkey |
Suspicious Activity
Registry event
The program accesses a system related registry key
| Type | Value |
| Suspicious activity | The program accesses a system related registry key |
Suspicious Activity
Reputation
Well known malware
| Type | Value |
| Suspicious activity | Malware activity observed ( Backdoor.Win32.Remcos.fot ) |
| Suspicious activity | Malware signature matched ( Backdoor.Win32.Remcos.fot.W.njwuv ) |
Suspicious Activity
Evasion
Observe a program that creates a new process
| Type | Value |
| Suspicious activity | Observe a program that creates a new process |
Suspicious Activity
Evasion
The program calls the dynamic load function dynamically
| Type | Value |
| Suspicious activity | The program calls the dynamic load function dynamically |
Suspicious Activity
Evasion
The program dynamically calls imported functions
| Type | Value |
| Suspicious activity | The program dynamically calls imported functions |
Suspicious Activity
Evasion
The program enumerated running processes in the system
| Type | Value |
| Suspicious activity | The program enumerated running processes in the system |
Suspicious Activity
Evasion
The program enumerates processes and/or modifies threads' contexts
| Type | Value |
| Suspicious activity | The program enumerates processes and/or modifies threads' contexts |
Suspicious Activity
Evasion
The program uses a native API call to load a DLL
| Type | Value |
| Suspicious activity | The program uses a native API call to load a DLL |
Suspicious Activity
Generic
Allocates read-write-execute memory (usually to unpack itself)
| Type | Value |
| Suspicious activity | Allocates read-write-execute memory (usually to unpack itself) |
Suspicious Activity
Generic
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping
| Type | Value |
| Suspicious activity | Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping |
Suspicious Activity
Reputation
Well known malware
| Type | Value |
| Suspicious activity | Malware activity observed ( Backdoor.Win32.Remcos.fot ) |
| Suspicious activity | Malware signature matched ( Backdoor.Win32.Remcos.fot.W.njwuv ) |