Handyandy Has Detected an Error With Vmware Services. Please Run Andy Setup Os Setup Again
Incident Response
Risk Assessment
- Remote Admission
- Reads terminal service related keys (frequently RDP related)
- Spyware
- Found a cord that may exist used as part of an injection method
- Persistence
- Grants permissions using icacls (DACL modification)
Modifies firewall settings
Spawns a lot of processes
Tries to take ownership of files - Fingerprint
- Queries sensitive IE security settings
Queries the internet cache settings (frequently used to hibernate footprints in index.dat or internet cache)
Reads the agile figurer name
Reads the cryptographic machine GUID - Evasive
- Possibly tries to implement anti-virtualization techniques
Reads the keyboard layout followed by a meaning code branch decision - Network Behavior
- Contacts 1 domain and ane host. View all details
MITRE ATT&CK™ Techniques Detection
This study has 28 indicators that were mapped to 24 attack techniques and 9 tactics. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Become your own deject service or the full version to view all details.
- Anti-Detection/Stealthyness
- Terminates other processes using tskill/taskkill
- details
- Process "taskkill.exe" with commandline "taskkill /im AndyConsole.exe /F" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im vmware-tray.exe /F" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im vmware-kvm.exe /F" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im vmware-vmx.exe /F" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im vmware.exe /F" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im vmplayer.exe /F" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im AndyConsole.exe /f" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im Andy.exe /f" (Prove Process)
Process "taskkill.exe" with commandline "taskkill /im HandyAndy.exe /f" (Bear witness Process)
Process "taskkill.exe" with commandline "taskkill /im AndyADB.exe /f" (Evidence Process)
Process "taskkill.exe" with commandline "taskkill /im AndyDnD.exe /f" (Show Process)
Procedure "taskkill.exe" with commandline "taskkill /im adb.exe /f" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im adb.exe /f" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im TaskListen.exe /f" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im HandyAndy.exe /f" (Prove Process)
Process "taskkill.exe" with commandline "taskkill /im Andy.exe /f" (Bear witness Process)
Process "taskkill.exe" with commandline "taskkill /im AndyConsole.exe /f" (Bear witness Process)
Procedure "taskkill.exe" with commandline "taskkill /im AndyADB.exe /f" (Prove Procedure)
Process "taskkill.exe" with commandline "taskkill /im AndyDND.exe /f" (Show Procedure)
Procedure "taskkill.exe" with commandline "taskkill /im adb.exe /f" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im TaskListen.exe /f" (Show Process)
Process "taskkill.exe" with commandline "taskkill /im HandyAndy.exe /f" (Prove Procedure)
Process "taskkill.exe" with commandline "taskkill /im Andy.exe /f" (Testify Procedure)
Procedure "taskkill.exe" with commandline "taskkill /im AndyConsole.exe /f" (Show Procedure)
Process "taskkill.exe" with commandline "taskkill /im AndyADB.exe /f" (Testify Process)
Process "taskkill.exe" with commandline "taskkill /im AndyDND.exe /f" (Show Process)
Procedure "taskkill.exe" with commandline "taskkill /im adb.exe /f" (Show Process) - source
- Monitored Target
- relevance
- nine/10
- Terminates other processes using tskill/taskkill
- External Systems
- Sample was identified as malicious past at least one Antivirus engine
- details
- 2/71 Antivirus vendors marked sample every bit malicious (2% detection charge per unit)
1/22 Antivirus vendors marked sample as malicious (4% detection rate) - source
- External System
- relevance
- 8/10
- Sample was identified as malicious past at least one Antivirus engine
- Network Related
- Uses network protocols on unusual ports
- details
- TCP traffic to 23.21.126.131 on port 8080
- source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1065 (Show technique in the MITRE ATT&CK™ matrix)
- Uses network protocols on unusual ports
- System Security
- Modifies firewall settings
- details
- Process "netsh.exe" with commandline "netsh advfirewall firewall delete dominion name=all programme="C:\Setup.exe"" (Show Process)
Process "netsh.exe" with commandline "netsh advfirewall firewall delete rule name="AndySetupIn"" (Evidence Procedure)
Process "netsh.exe" with commandline "netsh advfirewall firewall delete rule name="AndySetupOut"" (Show Process)
Process "netsh.exe" with commandline "netsh advfirewall firewall add rule name="AndySetupIn" dir=in action=allow enable=yes program="C:\Setup.exe"" (Prove Process)
Process "netsh.exe" with commandline "netsh advfirewall firewall add dominion proper name="AndySetupOut" dir=out action=allow enable=yes program="C:\Setup.exe"" (Show Process) - source
- Monitored Target
- relevance
- 8/x
- Modifies the access control lists of files
- details
- Process "icacls.exe" with commandline ""%PROGRAMFILES%\Andy" /grant "Users":(OI)(CI)F" (Show Procedure)
Process "icacls.exe" with commandline ""%PROGRAMFILES%\Andy" /grant "Everyone":(OI)(CI)F" (Testify Process)
Process "icacls.exe" with commandline ""%PROGRAMFILES%\Andy" /grant "CREATOR Owner":(OI)(CI)F" (Show Procedure)
Process "icacls.exe" with commandline ""%PROGRAMFILES%\Andy" /grant "Organisation":(OI)(CI)F" (Evidence Procedure)
Procedure "icacls.exe" with commandline ""%PROGRAMFILES%\Andy" /grant "Authenticated Users":(OI)(CI)F" (Show Process) - source
- Monitored Target
- relevance
- 5/x
- ATT&CK ID
- T1044 (Show technique in the MITRE ATT&CK™ matrix)
- Uses tskill/taskkill excessively (often used to disable security tools)
- details
- Process "taskkill.exe" spawned very oft
- source
- Monitored Target
- relevance
- seven/10
- ATT&CK ID
- T1089 (Show technique in the MITRE ATT&CK™ matrix)
- Modifies firewall settings
- Unusual Characteristics
- Spawns a lot of processes
- details
- Spawned procedure "Setup.exe" (Show Procedure)
Spawned process "cmd.exe" with commandline "/u /c doc "%TEMP%\Lang"" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c md "%PROGRAMFILES%\Andy"" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im AndyConsole.exe /F" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im AndyConsole.exe /F" (Evidence Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmware-tray.exe /F" (Show Procedure)
Spawned procedure "taskkill.exe" with commandline "taskkill /im vmware-tray.exe /F" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmware-kvm.exe /F" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im vmware-kvm.exe /F" (Prove Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmware-vmx.exe /F" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im vmware-vmx.exe /F" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmware.exe /F" (Show Process)
Spawned procedure "taskkill.exe" with commandline "taskkill /im vmware.exe /F" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmplayer.exe /F" (Show Process)
Spawned procedure "taskkill.exe" with commandline "taskkill /im vmplayer.exe /F" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im AndyConsole.exe /f" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im AndyConsole.exe /f" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im Andy.exe /f" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im Andy.exe /f" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im HandyAndy.exe /f" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im HandyAndy.exe /f" (Show Process)
Spawned procedure "cmd.exe" with commandline "/u /c taskkill /im AndyADB.exe /f" (Testify Process)
Spawned process "taskkill.exe" with commandline "taskkill /im AndyADB.exe /f" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im AndyDnD.exe /f" (Show Process)
Spawned procedure "taskkill.exe" with commandline "taskkill /im AndyDnD.exe /f" (Prove Procedure)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im adb.exe /f" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im adb.exe /f" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im adb.exe /f" (Show Procedure)
Spawned process "taskkill.exe" with commandline "taskkill /im adb.exe /f" (Prove Process)
Spawned procedure "cmd.exe" with commandline "/u /c del /F /Q "%PROGRAMFILES%\Andy.*"" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c rd /Due south /Q "%PROGRAMFILES%\Andy.*"" (Testify Process)
Spawned process "cmd.exe" with commandline "/u /c del /F /Due south /Q "%PROGRAMFILES%\Andy"" (Show Procedure)
Spawned process "cmd.exe" with commandline "/u /c rd /S /Q "%PROGRAMFILES%\Andy"" (Testify Process)
Spawned process "cmd.exe" with commandline "/u /c dr. "%PROGRAMFILES%\Andy"" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c takeown /f "%PROGRAMFILES%\Andy" /A /R /D Y" (Show Process)
Spawned procedure "takeown.exe" with commandline "takeown /f "%PROGRAMFILES%\Andy" /A /R /D Y" (Prove Procedure)
Spawned procedure "cmd.exe" with commandline "/u /c icacls.exe "%PROGRAMFILES%\Andy" /grant "Users":(OI)(CI)F" (Show Process)
Spawned process "icacls.exe" with commandline ""%PROGRAMFILES%\Andy" /grant "Users":(OI)(CI)F" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c icacls.exe "%PROGRAMFILES%\Andy" /grant "Everyone":(OI)(CI)F" (Prove Procedure)
Spawned process "icacls.exe" with commandline ""%PROGRAMFILES%\Andy" /grant "Everyone":(OI)(CI)F" (Evidence Process)
Spawned process "cmd.exe" with commandline "/u /c icacls.exe "%PROGRAMFILES%\Andy" /grant "CREATOR OWNER":(OI)(CI)F" (Show Process)
Spawned procedure "icacls.exe" with commandline ""%PROGRAMFILES%\Andy" /grant "CREATOR OWNER":(OI)(CI)F" (Bear witness Procedure)
Spawned process "cmd.exe" with commandline "/u /c icacls.exe "%PROGRAMFILES%\Andy" /grant "System":(OI)(CI)F" (Show Process)
Spawned process "icacls.exe" with commandline ""%PROGRAMFILES%\Andy" /grant "SYSTEM":(OI)(CI)F" (Show Procedure)
Spawned procedure "cmd.exe" with commandline "/u /c icacls.exe "%PROGRAMFILES%\Andy" /grant "Authenticated Users":(OI)(CI)F" (Show Process)
Spawned process "icacls.exe" with commandline ""%PROGRAMFILES%\Andy" /grant "Authenticated Users":(OI)(CI)F" (Evidence Procedure)
Spawned process "cmd.exe" with commandline "/u /c netsh advfirewall firewall delete rule name=all program="C:\Setup.exe"" (Evidence Process)
Spawned process "netsh.exe" with commandline "netsh advfirewall firewall delete rule name=all programme="C:\Setup.exe"" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c netsh advfirewall firewall delete dominion name="AndySetupIn"" (Show Process)
Spawned process "netsh.exe" with commandline "netsh advfirewall firewall delete rule name="AndySetupIn"" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c netsh advfirewall firewall delete rule proper name="AndySetupOut"" (Evidence Process)
Spawned procedure "netsh.exe" with commandline "netsh advfirewall firewall delete rule name="AndySetupOut"" (Prove Process)
Spawned procedure "cmd.exe" with commandline "/u /c netsh advfirewall firewall add together rule proper noun="AndySetupIn" dir=in action=allow enable=yes plan="C:\Setup.exe"" (Show Procedure)
Spawned process "netsh.exe" with commandline "netsh advfirewall firewall add together rule name="AndySetupIn" dir=in action=allow enable=yeah program="C:\Setup.exe"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
- Spawns a lot of processes
- Anti-Detection/Stealthyness
- Queries the internet cache settings (often used to hibernate footprints in alphabetize.dat or internet cache)
- details
- "Setup.exe" (Access blazon: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Admission
- relevance
- 3/x
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
- Queries the internet cache settings (often used to hibernate footprints in alphabetize.dat or internet cache)
- Environment Awareness
- Possibly tries to implement anti-virtualization techniques
- details
- "it..., 30
SetupRetCode := l
Goto, QuitSetup
}
}
SetTimer, RunBeforeShutdown, Off
DllCall("kernel32.dll\SetProcessShutdownParameters", UInt, 0x4FF, UInt, 0)
OnMessage(0x11, "WM_QUERYENDSESSION")
IfInString, CommandLine, -special%A_Space%-
{
StringReplace, CommandLine, CommandLine, -special%A_Space%,,
}
IfInString, CommandLine, -special
{
StringReplace, CommandLine, CommandLine, -special,,
}
IfInString, CommandLine, ecial%A_Space%-
{
StringReplace, CommandLine, CommandLine, ecial%A_Space%,,
}
IfInString, CommandLine, -NoIcon
{
Menu, Tray, NoIcon
}
IfNotInString, CommandLine, -NoIcon
{
Carte, Tray, Icon
}
FileDelete, %A_Temp%\vmware*.txt
FileDelete, %A_Temp%\vmware*.ini
FileDelete, %A_Temp%\*.andy.txt
FileDelete, %A_Temp%\*.vmware.txt
FileDelete, %A_Temp%\RemoveTemp.exe
FileDelete, %A_Temp%\Uninstalltemp.exe
FileDelete, %A_Temp%\vm*.log
FileDelete, %A_Temp%\GATickError.txt
FileDelete, %A_Temp%\bng.msi
Process, be, AndyDnD.exe
If (ErrorLevel > "0")
{
RunWait, AndyDnD.exe exit, %andydir%, hide UseErrorLevel
}
P" (Indicator: "vmware")
"seErrorLevel
}
Procedure, Exist, HandyAndy.exe
If errorlevel > 0
{
RunWait, taskill.exe /IM HandyAndy.exe /F,, hide UseErrorLevel
}
Process, Exist, HandyAndy.exe
If errorlevel > 0
{
RunWait, taskill.exe /IM HandyAndy.exe /F,, hide UseErrorLevel
}
Process, Be, HandyAndy.exe
If errorlevel > 0
{
RunWait, taskill.exe /IM HandyAndy.exe /F,, hide UseErrorLevel
}
Process, Be, abd.exe
If errorlevel > 0
{
RunWait, taskill.exe /IM adb.exe /F,, hide UseErrorLevel
}
Procedure, Exist, adb.exe
If errorlevel > 0
{
RunWait, taskill.exe /IM adb.exe /F,, hide UseErrorLevel
}
IfNotInString, CommandLine, -silent
{
IfNotInString, CommandLine, -NoProgress
{
Progress, m2 b h36 w500 fs14 zh0 CW87CEFA CT000000, % LNST("Progress", 1), , , Segoe UI
}
}
TargetDrive=
AndyStorage=
DefaultLibrary=
TargetDriveCMD=
AndyStorageCMD=
DefaultLibraryCMD=
EnvSet, A_WorkingDir, %A_WorkingDir%
EnvSet, VMwareCheckMode, 0
EnvSet, SEE_MASK_NOZONECHECKS, one
StringGetPos, LastSlash, A_Desktop, \, R
SplitPath, A_WinDir,,,,, WinDrive
SystemDrive = %WinDri" (Indicator: "vmware")
"ey = SOFTWARE\Wow6432Node\VMware`, Inc.
SourceRemoveKey = HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
EnvSet, PATH, %ProgramFilesDir%\Andy`;%A_Windir%\SysWOW64;%A_Windir%\System32`;%A_Windir%\SysWOW64\wbem`;%A_Windir%\System32\wbem`;%A_Windir%\SysWOW64\WindowsPowerShell\v1.0\`;%A_Windir%\System32\WindowsPowerShell\v1.0\`;%A_Windir%
EnvSet, ANDY_ANDYAHK, 1
}
If A_Is64bitOS != i
{
SetRegView, 32
arch = x86
notarch = x64
RegWrite, REG_SZ, HKEY_CURRENT_USER, Software\Andy, AndyInstallerState, "kickoff"
ProgramFilesGet = %A_ProgramFiles%
if InStr(FileExist(ProgramFilesGet), "D")
{
ProgramFilesDir = %ProgramFilesGet%
ProgramFilesDir86 = %ProgramFilesDir%
}
if not InStr(FileExist(ProgramFilesDir), "D")
{
MsgBox, 48, PROBLEM !!, Andy OS Setup can not access "%ProgramFilesDir%" binder on your PC. Please contact Andy Support.
Goto, QuitSetup
}
Else
{
FileCreateDir, %ProgramFilesDir%\Andy
RunWait, %comspec% /u /c medico "%ProgramFilesDir%\Andy",, hide UseErrorLevel
}
SourceRegKey = SOFTWARE\VMware`," (Indicator: "vmware")
"BackGroundTrans cYellow gAndyEULA, Andy Bone, Inc (C)2016
Gui, 99:Font, S9 Norm, Verdana
Gui, 99:Add together, Progress, x40 y379 w490 h20 -0x00000001 vProgressBar, %progstat%
IfNotInString, CommandLine, -NoInitialGUI
{
Gui, 99:Show, x%AndyX% y%AndyY% h422 w581, Andy OS Installer
winwait, % "ahk_id " guihwnd
winset, TransColor, White, % "ahk_id " linkhwnd
OnMessage(0x201, "WM_LBUTTONDOWN")
}
}
Process, exist, AndyConsole.exe
if (ErrorLevel > "0")
{
SendMessage, 0x8001,,,, Andy ahk_class Qt5QWindowIcon,,, 5000
Status = %errorlevel%
IfInString, Status, Fail
{
Process, Close, AndyConsole.exe
Runwait, %comspec% /u /c taskkill /im AndyConsole.exe /f,, hibernate UseErrorLevel
Process, Close, vmware-vmx.exe
Runwait, %comspec% /u /c taskkill /im vmware-vmx.exe /f,, hide UseErrorLevel
IfExist, %A_AppData%\Andy\status.txt
{
FileDelete, %A_AppData%\Andy\status.txt
}
Sleep, 2000
}
}
Runwait, %comspec% /u /c taskkill /im AndyConsole.exe /F,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im vmware-tray.exe /F,, hide UseErrorLevel" (Indicator: "vmware")
"Runwait, %comspec% /u /c taskkill /im vmware-kvm.exe /F,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im vmware-vmx.exe /F,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im vmware.exe /F,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im vmplayer.exe /F,, hide UseErrorLevel
EnvSet, andydir, %andydir%
Runwait, %comspec% /u /c taskkill /im AndyConsole.exe /f,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im Andy.exe /f,, hibernate UseErrorLevel
Runwait, %comspec% /u /c taskkill /im HandyAndy.exe /f,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im AndyADB.exe /f,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im AndyDnD.exe /f,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im adb.exe /f,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im adb.exe /f,, hide UseErrorLevel
progstat = x
GuiControl, 99:, Progressbar, %progstat%
IfNotInString, CommandLine, -VMwareModule
{
Runwait, %comspec% /u /c del /F /Q "%ProgramFilesDir%\Andy.*",, hide UseErrorLevel" (Indicator: "vmware")
"FileRemoveDir, %ProgramFilesDir%\Andy, 1
Runwait, %comspec% /u /c rd /Due south /Q "%ProgramFilesDir%\Andy.*",, hide UseErrorLevel
Runwait, %comspec% /u /c del /F /S /Q "%ProgramFilesDir%\Andy",, hide UseErrorLevel
FileRemoveDir, %ProgramFilesDir%\Andy, one
Runwait, %comspec% /u /c rd /S /Q "%ProgramFilesDir%\Andy",, hide UseErrorLevel
Sleep 1000
}
Else
{
Exists := Verify(andydir . "\SetupFiles\VmwareCheck.exe")
If errorlevel = 100
{
Exists := Verify(andydir . "\SetupFiles\VmwareRemove.exe")
If errorlevel = 100
{
Goto, VMwareModule1
}
}
}
FileCreateDir, %ProgramFilesDir%\Andy
Runwait, %comspec% /u /c md "%ProgramFilesDir%\Andy",, hide UseErrorLevel
RunWait, %comspec% /u /c takeown /f "%andydir%" /A /R /D Y,, hide UseErrorLevel
RunWait, %comspec% /u /c icacls.exe "%andydir%" /grant "Users":(OI)(CI)F,, hide UseErrorLevel
RunWait, %comspec% /u /c icacls.exe "%andydir%" /grant "Everyone":(OI)(CI)F,, hibernate UseErrorLevel
RunWait, %comspec% /u /c icacls.exe "%andydir%" /grant "CREATOR Possessor":(OI)(CI)F,, hide UseErrorLevel
RunW" (Indicator: "vmware")
"FilesArch != %arch%
{
Progress, Off
HitGAResult := HitGA("andy_QUIT_WrongArchFiles",FilesArch,"%arch%")
MsgBox, 48, % LNST("MsgBox", 1), % LNST("MsgBox", 11)
Goto, QuitSetup
}
Else
{
HitGAResult := HitGA("andy_MARK_CorrectArchFiles")
}
Sleep, 1500
WinGetPos, AndyX, AndyY, , , Andy Os Installer
FileDelete, %A_Temp%\AndyWin.andy.txt
If AndyX =
{
AndyX = Center
}
If AndyY =
{
AndyY = Heart
}
FileAppend, %AndyX%`n%AndyY%, %A_Temp%\AndyWin.andy.txt
IfNotInString, CommandLine, -NoTrayTip
{
Card, Tray, Icon
TrayTip, Andy Bone Installer, Andy Os is Installing. It will outset automatically!
SetTimer, RemoveTrayTip, 3000
}
VMwareModule1:
IfInString, CommandLine, -silent
{
Gui, 99:hibernate
}
IfInString, CommandLine, -NoMainGUI
{
Gui, 99:hide
}
GuiControl, 99:, TextMain, % LNST("TextMain", 2)
progstat = 4
GuiControl, 99:, Progressbar, %progstat%
Goto, VTXCheck
AfterVTXCheck:
RegRead, VTXRetCode, HKCU\Software\Andy, VTXRetCode
ProcessCommandLine:
IfInString, CommandLine, -TargetDrive`=
{
pos=
posx=
posz=
StringGetPos, pos, Comm" (Indicator: "vmware")
"y.txt
}
}
Loop, Read, %A_Temp%\FreeSpace.andy.txt
{
StringSplit, DriveSize, A_LoopReadLine, =
v%A_Index% := DriveSize2
}
ten := v1 ";" v2 ";" v3 ";" v4 ";" v5 ";" v6 ";" v7 ";" v8 ";" v9 ";" v10 ";" v11 ";" v12 ";" v13 ";" v14 ";" v15 ";" v16 ";" v17 ";" v18 ";" v19 ";" v20
Sort, ten, d`; Northward R
y := RegExMatch(x,"[\d.-]*",MostFreeSpace)
Loop, Read, %A_Temp%\FreeSpace.andy.txt
{
IfInString, A_LoopReadLine, %MostFreeSpace%
{
StringSplit, DriveArray, A_LoopReadLine, =
RootDrive := DriveArray1
RootDrive = %RootDrive%
break
}
}
FileRead, FreeSpaceList, %A_Temp%\FreeSpace.andy.txt
TargetDrive:
TargetDrive = %RootDrive%
AndyStorage = %TargetDrive%\AndyOS
DefaultLibrary = %TargetDrive%\AndyOS\machines
afterdiskcheck:
FileDelete, %A_Temp%\*usb*.andy.txt
FileDelete, %A_Temp%\FreeSpace*.andy.txt
FileDelete, %A_Temp%\dpq.andy.txt
FileDelete, %A_Temp%\*usb*.txt
FileDelete, %A_Temp%\listUSB.andy.txt
FileDelete, %A_Temp%\USBDeview.exe
IfInString, CommandLine, -VMwareModule
{
Goto, VMwareModule2
}
FileCreateDir, %andydir%\SetupFil" (Indicator: "vmware")
"es
Runwait, %comspec% /u /c doc "%andydir%\SetupFiles",, hibernate UseErrorLevel
FileCreateDir, %A_AppData%\Andy
FileCreateDir, %A_AppData%\Andy\HandyAndy
FileCreateDir, %A_AppData%\Andy\Logs
FileCreateDir, %A_AppData%\Andy\machines
FileCreateDir, %userprofile%\Andy
FileCreateDir, %userprofile%\Andy\Backup
FileCreateDir, %AndyStorage%
Runwait, %comspec% /u /c physician "%AndyStorage%",, hibernate UseErrorLevel
FileCreateDir, %AndyStorage%\images
Runwait, %comspec% /u /c medico "%AndyStorage%\images",, hibernate UseErrorLevel
FileCreateDir, %AndyStorage%\VMW
Runwait, %comspec% /u /c md "%AndyStorage%\VMW",, hide UseErrorLevel
VMWareModule2:
RunWait, %comspec% /u /c takeown /f "%A_AppData%\Andy" /A /R /D Y,, hide UseErrorLevel
RunWait, %comspec% /u /c icacls "%A_AppData%\Andy" /grant "Users":(OI)(CI)F,, hide UseErrorLevel
RunWait, %comspec% /u /c icacls "%A_AppData%\Andy" /grant "Everyone":(OI)(CI)F,, hide UseErrorLevel
RunWait, %comspec% /u /c icacls "%A_AppData%\Andy" /grant "CREATOR OWNER":(OI)(CI)F,, hide UseErrorLevel
RunWait, %coms" (Indicator: "vmware")
"AndyDnD.exe /f,, hibernate UseErrorLevel
Procedure, Shut, AndyDnD.exe
process, close, adb.exe
Runwait, %comspec% /u /c taskkill /im adb.exe /f,, hide UseErrorLevel
procedure, shut, adb.exe
Runwait, %comspec% /u /c taskkill /im adb.exe /f,, hide UseErrorLevel
process, shut, adb.exe
Runwait, %comspec% /u /c taskkill /im adb.exe /f,, hide UseErrorLevel
HitGAResult := HitGA("andy_MARK_KillRunningProcesses")
FileInstall, _embed\msvcp100.dll, %A_WorkingDir%\tools\msvcp100.dll, ane
FileInstall, _embed\msvcr100.dll, %A_WorkingDir%\tools\msvcr100.dll, i
IfInString, CommandLine, -VMwareModule
{
Goto, VMwareModule3
}
GuiControl, 99:, TextMain, % LNST("TextMain", 4)
progstat = 18
GuiControl, 99:, Progressbar, %progstat%
Sleep, 750
GuiControl, 99:, TextMain, % LNST("TextMain", xiii)
progstat = 20
GuiControl, 99:, Progressbar, %progstat%
IfNotExist, %A_WorkingDir%\Andy\Andy-%arch%.7z.001
{
HitGAResult := HitGA("andy_QUIT_CantFind7zAndyFiles", curvation)
MsgBox, 48, Problem !!, Can not discover andy 7z installation file. Please contact suppor" (Indicator: "vmware")
"reateDir, %andydir%\SetupFiles
FileAppend, `due north, %andydir%\SetupFiles\1.txt
IfNotExist, %andydir%\SetupFiles\1.txt
{
HitGAResult := HitGA("andy_QUIT_CreateAndydirFailed")
Progress, Off
MsgBox, 48, % LNST("MsgBox", 1), % LNST("MsgBox", 14), 15
Goto, QuitSetup
}
HitGAResult := HitGA("andy_MARK_InitialAndyFoldersCreated")
FileDelete, %andydir%\SetupFiles\ane.txt
progstat = 22
GuiControl, 99:, Progressbar, %progstat%
IfNotInString, CommandLine, -silent
{
OnMessage(0x404, "AHK_NOTIFYICON")
TipStat := progstat
Goto, FileCheck
}
IfNotInString, CommandLine, -NoIcon
{
OnMessage(0x404, "AHK_NOTIFYICON")
TipStat := progstat
Goto, FileCheck
}
filecheck:
Runwait, %comspec% /u /c taskkill /im HandyAndy.exe /F,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im VMwareCheck.exe /F,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im AndyDoctor.exe /F,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im VMwareRemove.exe /F,, hide UseErrorLevel
Runwait, %comspec% /u /c taskkill /im AutoConfigVM.exe /F,, hide Use" (Indicator: "vmware")
":= HitGA("andy_QUIT_AndyExeNotFound", andydir)
MsgBox, 48, % LNST("MsgBox", 1), % LNST("MsgBox", 18)
Goto, QuitSetup
}
IfNotExist, %andydir%\AndyConsole.exe
{
HitGAResult := HitGA("andy_QUIT_AndyConsoleNotFound", andydir)
MsgBox, 48, % LNST("MsgBox", i), % LNST("MsgBox", 19)
Goto, QuitSetup
}
HitGAResult := HitGA("andy_MARK_AndyExesFound")
VMwareModule3:
RunWait, %comspec% /u /c netsh advfirewall firewall delete dominion name=all program="%andydir%\andy.exe",, hibernate UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete rule proper noun="AndyIn",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete dominion name="AndyOut",, hibernate UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall add together rule name="AndyIn" dir=in activeness=allow enable=yes programme="%andydir%\andy.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall add dominion name="AndyOut" dir=out activeness=let enable=yes program="%andydir%\andy.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh" (Indicator: "vmware")
"east UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall add rule name="AndyUninstallOut" dir=out action=allow enable=yes plan="%andydir%\SetupFiles\Uninstall.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall add rule name="AndyRemoveIn" dir=in action=allow enable=yes program="%A_Temp%\RemoveTemp.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall add rule name="AndyRemoveOut" dir=out action=allow enable=yes program="%A_Temp%\RemoveTemp.exe",, hibernate UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete dominion name=all program="%andydir%\SetupFiles\VMwareCheck.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete rule name="CheckVMIn",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete rule name="CheckVMOut",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall add rule proper name="CheckVMIn" dir=in activity=allow enable=yes plan="%andydir%\SetupFiles\VMwa" (Indicator: "vmware"), "reCheck.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall add rule proper noun="CheckVMOut" dir=out action=allow enable=aye program="%andydir%\SetupFiles\VMwareCheck.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete rule proper noun=all program="%andydir%\SetupFiles\AndyDoctor.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete dominion proper noun="DoctorIn",, hibernate UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete rule proper noun="DoctorOut",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall add together rule proper name="DoctorIn" dir=in action=allow enable=yes program="%andydir%\SetupFiles\AndyDoctor.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall add rule name="DoctorOut" dir=out activity=permit enable=yes programme="%andydir%\SetupFiles\AndyDoctor.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete rule name=all program="%ProgramFilesDir86%\Bonjour\mDNSRe" (Indicator: "vmware"), "sponder.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete dominion name=all programme="%ProgramFilesDir%\Bonjour\mDNSResponder.exe",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete rule name="Bonjour Service",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete rule name="Bonjour Service",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete dominion proper name="Bonjour Service",, hide UseErrorLevel
RunWait, %comspec% /u /c netsh advfirewall firewall delete rule name="Bonjour Service",, hide UseErrorLevel
HitGAResult := HitGA("andy_MARK_SetFirewallRules")
VMModuleCheck = -1
IfInString, CommandLine, -VMwareModule
{
VMModuleCheck = SOLO
Goto, VMwareModule
}
GuiControl, 99:, TextMain, % LNST("TextMain", 18)
progstat = 42
GuiControl, 99:, Progressbar, %progstat%
Sleep, 2000
RegDelete, HKEY_CURRENT_USER, SOFTWARE\Andy, IMEI
RegDelete, HKEY_CURRENT_USER, SOFTWARE\Andy, UID
RegDelete, HKEY_CURRENT_USER, SOFTWARE\An" (Indicator: "vmware")
"xt
{
PathOrInfo = %A_LoopReadLine%
IfInString, PathOrInfo, Invalid bundles
Break
IfInString, PathOrInfo, #
{
StringSplit, VMinitialarray, A_LoopReadLine, %A_TAB%
}
If VMinitialarray3 = andy
{
InitialVMID = %VMinitalarray4%
}
}
FileDelete, %A_Temp%\parselistinstall*.andy.txt
EnvSet, ANDY_ANALYTICS_ENABLED, imitation
RunWait, %comspec% /u /c ""%andydir%\AndyConsole.exe" uninstall "%MyListBox%"hide UseErrorLevel
RunWait
%comspec% /u /c ""%andydir%\AndyConsole.exe" uninstall "%MyListBox%",, hibernate UseErrorLevel
RunWait, %comspec% /u /c ""%andydir%\AndyConsole.exe" -vv install --proper noun "%MyListBox%" --library "%DefaultLibrary%" --provider vmware --make-default "%SelectedFile%"",, hide UseErrorLevel
EnvSet, ANDY_ANALYTICS_ENABLED, true
FileDelete, %A_Temp%\parselistinstall.andy.txt
Sleep, 500
EnvSet, ANDY_ANALYTICS_ENABLED, false
RunWait, %comspec% /u /c ""%andydir%\AndyConsole.exe" list-machines --stdout "%A_Temp%\parselistinstall.andy.txt"",, hide UseErrorLevel
EnvSet, ANDY_ANALYTICS_ENABLED, true
Loop, Read, %A_Temp" (Indicator: "vmware")
"ndle
FileCreateDir, %andydir%\Prebundle\Shortcuts
FileCreateDir, %andydir%\Prebundle\Icons
FileCopy, %A_WorkingDir%\Prebundle\Icons\*.*, %andydir%\Prebundle\Icons, i
FileCopy, %A_WorkingDir%\Prebundle\Shortcuts\*.*, %andydir%\Prebundle\Shortcuts, 1
GuiControl, 99:, TextMain, % LNST("TextMain", 26)
progstat = 49
GuiControl, 99:, Progressbar, %progstat%
Sleep, 1500
Loop, Read, %andydir%\Prebundle\Shortcuts\FalseShortcuts.info
{
StringSplit, ShortcutArray, A_LoopReadLine, /
FileCreateShortcut, "%andydir%\HandyAndy.exe", %A_Desktop%\%ShortcutArray1%.lnk, %andydir%, startandy, %ShortcutArray1%, %andydir%\Prebundle\Icons\%ShortcutArray2%
}
}
}
ControlSend,, {F5}, ahk_class Progman
HitGAResult := HitGA("andy_MARK_AndySetupComplete")
VMwareModule:
VMwareCheckStatus = -1
GuiControl, 99:, TextMain, % LNST("TextMain", 27)
progstat = 60
GuiControl, 99:, Progressbar, %progstat%
Sleep, 2000
HitGAResult := HitGA("andy_MARK_VMwareBegin")
Runwait, %comspec% /u /c taskkill /im vmplayer.exe /f,, hide UseErrorLevel
Process, Clos" (Indicator: "vmware")
"e, vmplayer.exe
Runwait, %comspec% /u /c taskkill /im vmware-vmx.exe /f,, hide UseErrorLevel
Process, Close, vmware-vmx.exe
Runwait, %comspec% /u /c taskkill /im vmware.exe /f,, hide UseErrorLevel
Process, Shut, vmware.exe
VMwareCheckTool:
If (VMwareCheckMode != "0") && (VMwareCheckMode != "1") && (VMwareCheckMode != "2")
{
VMwareCheckMode := 0
}
RegWrite, REG_SZ, HKCU\Software\Andy, VMwareCheckStatus, -1
Exists := Verify(andydir . "\SetupFiles\VmwareCheck.exe")
If Exists = 100
{
VMwareCheckMode := VMwareCheckMode + ane
EnvSet, VMwareCheckMode, %VMwareCheckMode%
RunWait, VMwareCheck.exe -Silent, %andydir%\SetupFiles, hide UseErrorLevel
HitGAResult := HitGA("andy_CHECK_VMwareCheckBefore", Exists)
}
Else
{
VMwareCheckMode := 999
EnvSet, VMwareCheckMode, %VMwareCheckMode%
RegWrite, REG_SZ, HKCU\Software\Andy, VMwareCheckStatus, 999
HitGAResult := HitGA("andy_QUIT_VMwareCheckToolMissing", Exists, %andydir%)
MsgBox, 48, Trouble !!, Andy Bone Setup can non find all the files necessary to install properly. Please cont" (Indicator: "vmware")
"deed Andy Support.`n`nError`nandy_FAIL_VMwareCheckToolMissing`nCode %Exists%
Goto, QuitSetup
}
Process, WaitClose, CheckVMware.exe, 120
RegRead, VMwareCheckStatus, HKCU\Software\Andy, VMwareCheckStatus
If (LateVMwareCheck = "YES")
{
LateVMwareCheck = RAN
Goto, LateVMwareCheck
}
If (VMwareCheckStatus != "Laissez passer") && (VMwareCheckStatus != "FAIL") && (VMwareCheckStatus != "HOSED")
{
HitGAResult := HitGA("andy_RESULT_VMwareCheck_NoResultGiven", VMwareCheckStatus)
Goto, VMwareRemove
}
If (VMwareCheckStatus = "Fail")
{
HitGAResult := HitGA("andy_RESULT_VMwareCheckFailBefore", VMwareCheckStatus)
Goto, VMwareRemove
}
If (VMwareCheckStatus = "HOSED")
{
HitGAResult := HitGA("andy_RESULT_VMwareCheckHosedBefore", VMwareCheckStatus)
Goto, CleanInstall
}
If (VMwareCheckStatus = "Laissez passer")
{
If (VMModuleCheck = "SOLO")
{
HitGAResult := HitGA("andy_RESULT_VMwareCheckPassSOLO", VMwareCheckStatus)
Goto, QuitSetup
}
Else
{
HitGAResult := HitGA("andy_RESULT_VMwareCheckPassBefore", VMwareCheckStatus)
Goto, Finalize
}
}
VMwareRemove:
Ex" (Indicator: "vmware")
"ists := Verify(andydir . "\SetupFiles\VmwareRemove.exe")
If Exists = 100
{
HitGAResult := HitGA("andy_CHECK_RunVMwareRemove", Exists)
RunWait, VMwareRemove.exe -Silent, %andydir%\SetupFiles, hide UseErrorLevel
}
Else
{
HitGAResult := HitGA("andy_FAIL_VMwareRemoveNotFound", Exists)
}
Process, WaitClose, CheckVMware.exe, 180
CleanInstall:
HitGAResult := HitGA("andy_CHECK_CleanInstall")
WinGetPos, AndyX, AndyY, , , Andy Bone Installer
FileDelete, %A_Temp%\AndyWin.andy.txt
If AndyX =
{
AndyX = Center
}
If AndyY =
{
AndyY = Center
}
FileAppend, %AndyX%`n%AndyY%, %A_Temp%\AndyWin.andy.txt
GuiControl, 99:, TextMain, % LNST("TextMain", 31)
progstat = 75
GuiControl, 99:, Progressbar, %progstat%
FileReadLine, vmxType, %A_Temp%\VMwareCheckType.txt, 1
retcode=
HitGAResult := HitGA("andy_CheckACL_WindowsInstaller")
RunWait, Andy.exe --analytics-origin installer shell vmware_install_check_acl_windows_installer, %andydir%, hibernate UseErrorLevel
RunWait, cacls "%A_WinDir%\Installer" /Due south | findstr "FA;*SY", , hibernate UseErrorLevel
inst" (Indicator: "vmware") - source
- String
- relevance
- 4/10
- Reads the cryptographic machine GUID
- details
- "Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"taskkill.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Admission
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
- Possibly tries to implement anti-virtualization techniques
- External Systems
- Found an IP/URL artifact that was identified equally malicious by at to the lowest degree one reputation engine
- details
- one/71 reputation engines marked "http://s1.symcb.com/pca3-g5.crl0" as malicious (1% detection rate)
ane/71 reputation engines marked "http://sv.symcb.com/sv.crl0a" as malicious (1% detection charge per unit)
1/69 reputation engines marked "http://andysupport.s3.amazonaws.com" as malicious (i% detection rate) - source
- External System
- relevance
- x/10
- Found an IP/URL artifact that was identified equally malicious by at to the lowest degree one reputation engine
- General
- Contains ability to notice and load resource of a specific module
- details
- FindResourceW@KERNEL32.dll at 44670-3347-00765BCC
- source
- Hybrid Analysis Applied science
- relevance
- 1/10
- Opened the service control managing director
- details
- "Setup.exe" called "OpenSCManager" requesting admission rights "SC_MANAGER_LOCK" (0x8)
- source
- API Telephone call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
- Contains ability to notice and load resource of a specific module
- Installation/Persistance
- Drops executable files
- details
- "xz.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
- source
- Extracted File
- relevance
- 10/10
- Drops executable files
- Network Related
- Plant potential IP accost in binary/memory
- details
- "1.i.24.02"
"46.xvi.66.0" - source
- String
- relevance
- iii/10
- Sends traffic on typical HTTP outbound port, merely without HTTP header
- details
- TCP traffic to 23.21.126.131 on port 8080 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
- Plant potential IP accost in binary/memory
- Remote Access Related
- Contains indicators of bot communication commands
- details
- "seErrorLevel
}
Process, Exist, HandyAndy.exe
If errorlevel > 0
{
RunWait, taskill.exe /IM HandyAndy.exe /F,, hide UseErrorLevel
}
Process, Exist, HandyAndy.exe
If errorlevel > 0
{
RunWait, taskill.exe /IM HandyAndy.exe /F,, hibernate UseErrorLevel
}
Process, Be, HandyAndy.exe
If errorlevel > 0
{
RunWait, taskill.exe /IM HandyAndy.exe /F,, hibernate UseErrorLevel
}
Process, Be, abd.exe
If errorlevel > 0
{
RunWait, taskill.exe /IM adb.exe /F,, hide UseErrorLevel
}
Process, Exist, adb.exe
If errorlevel > 0
{
RunWait, taskill.exe /IM adb.exe /F,, hibernate UseErrorLevel
}
IfNotInString, CommandLine, -silent
{
IfNotInString, CommandLine, -NoProgress
{
Progress, m2 b h36 w500 fs14 zh0 CW87CEFA CT000000, % LNST("Progress", ane), , , Segoe UI
}
}
TargetDrive=
AndyStorage=
DefaultLibrary=
TargetDriveCMD=
AndyStorageCMD=
DefaultLibraryCMD=
EnvSet, A_WorkingDir, %A_WorkingDir%
EnvSet, VMwareCheckMode, 0
EnvSet, SEE_MASK_NOZONECHECKS, i
StringGetPos, LastSlash, A_Desktop, \, R
SplitPath, A_WinDir,,,,, WinDrive
SystemDrive = %WinDri" (Indicator: "cmd=") - source
- String
- relevance
- 10/10
- ATT&CK ID
- T1094 (Show technique in the MITRE ATT&CK™ matrix)
- Contains references to WMI/WMIC
- details
- ", MachineGuid, HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\Cryptography, MachineGuid
If (errorlevel = "ane")
{
Progress, Off
HitGAResult := HitGA("andy_QUIT_MachineGuidMissing")
MsgBox, 48, % LNST("MsgBox", one), % LNST("MsgBox", 8), 15
goto, QuitSetup
}
Else
{
HitGAResult := HitGA("andy_MARK_GotMachineGuid")
}
Sleep, 1500
StringReplace, MachineGuid, MachineGuid, {,, all
StringReplace, MachineGuid, MachineGuid, },, all
progstat = 50
GuiControl, 99:, Progressbar, %progstat%
FileDelete, %A_Temp%\sysinfo*.andy.txt
Slumber, 250
RunWait, %comspec% /u /c wmic.exe cpu get NumberOfCores /format:list |more >>"%A_Temp%\sysinfo.andy.txt",, hide UseErrorLevel
RetCode = %ErrorLevel%
If (RetCode = "0")
{
HitGAResult := HitGA("andy_CHECK_WmicCoresVcpu", RetCode)
}
If (RetCode != "0")
{
HitGAResult := HitGA("andy_FAIL_WmicCoresVcpu", RetCode)
}
RunWait, %comspec% /u /c wmic.exe cpu get NumberOfLogicalProcessors /format:list |more than >>"%A_Temp%\sysinfo.andy.txt",, hide UseErrorLevel
RetCode = %ErrorLevel%
If (RetCode = "0")
{
HitGAResult" (Indicator: "wmic.exe")
":= HitGA("andy_CHECK_WmicLogicalProcessors", RetCode)
}
If (RetCode != "0")
{
HitGAResult := HitGA("andy_FAIL_WmicCoresVcpu", RetCode)
}
RunWait, %comspec% /u /c wmic.exe os go TotalVisibleMemorySize /format:list |more >>"%A_Temp%\sysinfo.andy.txt",, hide UseErrorLevel
RetCode = %ErrorLevel%
If (RetCode = "0")
{
HitGAResult := HitGA("andy_CHECK_WmicRAM", RetCode)
}
If (RetCode != "0")
{
HitGAResult := HitGA("andy_FAIL_WmicRAM", RetCode)
}
CurrentLine=
Loop, Read, %A_Temp%\sysinfo.andy.txt
{
If A_LoopReadLine =
Keep
StringReplace, CurrentLine, A_LoopReadLine, `due north,, All
StringReplace, CurrentLine, CurrentLine, `r,, All
FileAppend, %CurrentLine%`n, %A_Temp%\CoresCpuRAM.andy.txt
}
Loop, Read, %A_Temp%\CoresCpuRAM.andy.txt
{
IfInString, A_LoopReadLine, Cores
{
StringSplit, CoresArray, A_LoopReadLine, =
Cores := Trim(CoresArray2)
Continue
}
IfInString, A_LoopReadLine, Logical
{
StringSplit, vcpuArray, A_LoopReadLine, =
vcpu := Trim(vcpuArray2)
Proceed
}
IfInString, A_LoopReadLine, Retentiveness
{
StringSplit, Retentiveness" (Indicator: "wmic.exe")
"entBuild
If (errorLevel = "1")
{
VTXRetCode = iii
Goto, VtxDone
}
If (OSBuildID < "7600")
{
VTXRetCode = iv
Goto, VtxDone
}
If OSBuildID = 7600
{
WinVer = 6.i
WinName = 7
}
If OSBuildID = 7601
{
WinVer = six.1
WinName = vii
}
If OSBuildID = 9200
{
WinVer = 6.2
WinName = 8
}
If OSBuildID = 9600
{
WinVer = six.three
WinName = viii.1
}
If OSBuildID = 14393
{
WinVer = 10.0
WinName = x
}
If WinName !=
{
Goto, Win%WinName%
}
Else
{
VTXRetCode = 5
MsgBox, 48, Trouble, Andy Os Can not get Windows Version
Goto, VtxDone
}
Win8:
Win8.one:
Win10:
FileDelete, %A_Temp%\wmic*.andy.txt
Sleep, 250
if curvation = x64
{
RunWait, %comspec% /u /c wmic.exe cpu get VirtualizationFirmwareEnabled /format:list |Find "=" >"%A_Temp%\wmiccpuget.andy.txt", %A_Windir%\SysWON64, hide UseErrorLevel
}
if arch = x86
{
RunWait, %comspec% /u /c wmic.exe cpu get VirtualizationFirmwareEnabled /format:list |Notice "=" >"%A_Temp%\wmiccpuget.andy.txt", %A_Windir%\System32, hibernate UseErrorLevel
}
Loop, Read, %A_Temp%\wmiccpuget.andy.txt
{
If A_LoopReadLine =
Continue
IfInStrin" (Indicator: "wmic.exe") - source
- Cord
- relevance
- 10/x
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
- Reads terminal service related keys (ofttimes RDP related)
- details
- "Setup.exe" (Path: "HKLM\Arrangement\CONTROLSET001\Command\TERMINAL SERVER"; Central: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/x
- ATT&CK ID
- T1076 (Bear witness technique in the MITRE ATT&CK™ matrix)
- Contains indicators of bot communication commands
- Spyware/Information Retrieval
- Contains ability to retrieve keyboard strokes
- details
- GetAsyncKeyState@USER32.dll at 44670-3127-006FEC3C
GetAsyncKeyState@USER32.dll at 44670-3758-0073F68C - source
- Hybrid Analysis Technology
- relevance
- 8/ten
- ATT&CK ID
- T1056 (Show technique in the MITRE ATT&CK™ matrix)
- Contains ability to retrieve keyboard strokes
- Organization Security
- Modifies proxy settings
- details
- "Setup.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Cyberspace SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"Setup.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"Setup.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Net SETTINGS"; Primal: "PROXYOVERRIDE")
"Setup.exe" (Admission blazon: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"Setup.exe" (Admission type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/x
- ATT&CK ID
- T1112 (Prove technique in the MITRE ATT&CK™ matrix)
- Modifies proxy settings
- Unusual Characteristics
- CRC value set in PE header does not match actual value
- details
- "xz.dll" claimed CRC 178868 while the actual is CRC 4725518
- source
- Static Parser
- relevance
- 10/x
- Imports suspicious APIs
- details
- RegCreateKeyExW
RegDeleteValueW
RegCloseKey
OpenProcessToken
GetUserNameW
RegEnumKeyExW
RegDeleteKeyW
RegOpenKeyExW
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
GetTempPathW
DeviceIoControl
CopyFileW
WriteProcessMemory
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExW
CreateThread
TerminateProcess
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
GetFileSize
OpenProcess
GetStartupInfoW
ReadProcessMemory
CreateDirectoryW
DeleteFileW
GetProcAddress
GetComputerNameW
WriteFile
GetFileSizeEx
FindNextFileW
FindFirstFileW
CreateFileW
VirtualAllocEx
LockResource
GetCommandLineW
GetModuleHandleW
FindResourceW
CreateProcessW
Slumber
GetModuleFileNameExW
ShellExecuteExW
GetCursorPos
SetWindowsHookExW
FindWindowW
SetKeyboardState
GetWindowThreadProcessId
WSAStartup
GetTempPathA
GetModuleFileNameA
GetModuleHandleA
GetVersionExA
LoadLibraryA
GetStartupInfoA
CreateDirectoryA
DeleteFileA
FindFirstFileA
FindNextFileA
CreateFileA
GetCommandLineA
GetFileAttributesExA
FindResourceA
VirtualAlloc - source
- Static Parser
- relevance
- ane/10
- Installs hooks/patches the running process
- details
- "Setup.exe" wrote bytes "b88011816fffe0" to virtual address "0x76261368" (office of module "WS2_32.DLL")
"Setup.exe" wrote bytes "4812e174" to virtual accost "0x74E283DC" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "fae60877e1a60d772e710d77ee290d7785e208776da00d7726e40877d16d0d77003d0b77804b0b7700000000ad3726768b2d2676b641267600000000" to virtual address "0x74411000" (function of module "WSHTCPIP.DLL")
"Setup.exe" wrote bytes "a011816f" to virtual address "0x75F9E324" (part of module "WININET.DLL")
"Setup.exe" wrote bytes "48120000" to virtual accost "0x74E112DC" (office of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b89012816fffe0" to virtual address "0x74E11248" (function of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "e7390977e1a60d772e710d77ee290d7785e208776da00d7790640c773ad5137726e40877d16d0d77003d0b77804b0b7700000000ad3726768b2d2676b641267600000000" to virtual address "0x74941000" (part of module "WSHIP6.DLL")
"Setup.exe" wrote bytes "c04e0b7720540c77e0650c77b5380d770000000000d0237700000000c5ea23770000000088ea237700000000e968157582280d77ee290d7700000000d2691575000000007dbb23770000000009be157500000000ba18237700000000" to virtual address "0x771E1000" (part of module "NSI.DLL")
"Setup.exe" wrote bytes "4812e174" to virtual address "0x74E28364" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "f8110000" to virtual address "0x74E11408" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "4812e174" to virtual accost "0x74E28348" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "4812e174" to virtual address "0x74E283C0" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "f811e174" to virtual address "0x74E28368" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "48120000" to virtual accost "0x74E1139C" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "f811e174" to virtual accost "0x74E283E0" (function of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "68130000" to virtual address "0x76261680" (part of module "WS2_32.DLL")
"Setup.exe" wrote bytes "f811e174" to virtual accost "0x74E2834C" (function of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b81015816fffe0" to virtual address "0x74E111F8" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "f8110000" to virtual address "0x74E112CC" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "f811e174" to virtual address "0x74E283C4" (role of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Evidence technique in the MITRE ATT&CK™ matrix)
- Reads data about supported languages
- details
- "Setup.exe" (Path: "HKLM\Arrangement\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"Setup.exe" (Path: "HKCU\CONTROL Console\INTERNATIONAL"; Key: "LOCALE") - source
- Registry Access
- relevance
- 3/ten
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
- CRC value set in PE header does not match actual value
- Hiding 12 Suspicious Indicators
- All indicators are available just in the individual webservice or standalone version
- Anti-Opposite Engineering
- Contains ability to register a acme-level exception handler (oftentimes used every bit anti-debugging pull a fast one on)
- details
- SetUnhandledExceptionFilter@KERNEL32.dll at 44670-2914-007839B2
SetUnhandledExceptionFilter@KERNEL32.dll at 44670-2921-007812C1 - source
- Hybrid Assay Engineering
- relevance
- 1/10
- Contains ability to register a acme-level exception handler (oftentimes used every bit anti-debugging pull a fast one on)
- Environs Awareness
- Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.dll at 44670-3891-007322EC
GetSystemTime@KERNEL32.dll at 44670-3853-00733EEC
GetLocalTime@KERNEL32.dll at 44670-3882-00732E8C
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/x
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
- Contains ability to query the machine version
- details
- GetVersionExW@KERNEL32.dll at 44670-2940-0078DCCC
- source
- Hybrid Analysis Engineering
- relevance
- 1/10
- Makes a code branch determination directly after an API that is environment aware
- details
- Found API call GetKeyboardLayout@USER32.dll directly followed by "cmp cl, 19h" and "ja 00701A72h" at 44670-3553-0070197C
- source
- Hybrid Assay Technology
- relevance
- 10/10
- Perchance tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.dll at 44670-3684-00789E4A
- source
- Hybrid Analysis Technology
- relevance
- one/10
- Reads the registry for installed applications
- details
- "Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUP.EXE")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUP.EXE") - source
- Registry Admission
- relevance
- 10/10
- ATT&CK ID
- T1012 (Bear witness technique in the MITRE ATT&CK™ matrix)
- Contains ability to query machine time
- General
- Contacts domains
- details
- "api.andyroid.net"
- source
- Network Traffic
- relevance
- ane/ten
- Contacts server
- details
- "23.21.126.131:8080"
- source
- Network Traffic
- relevance
- 1/10
- Contains PDB pathways
- details
- "msvcp100.amd64.pdb"
"msvcr100.amd64.pdb" - source
- String
- relevance
- 1/x
- Creates mutants
- details
- "\Sessions\ane\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
- Drops files marked as make clean
- details
- Antivirus vendors marked dropped file "xz.dll" equally clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Extracted File
- relevance
- 10/ten
- Overview of unique CLSIDs touched in registry
- details
- "Setup.exe" touched "Search Gatherer Notification" (Path: "HKCU\CLSID\{9E175B6D-F52A-11D8-B9A5-505054503030}")
"Setup.exe" touched "NetworkListManager" (Path: "HKCU\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}")
"Setup.exe" touched "Network List Manager" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{A47979D2-C419-11D9-A5B4-001185AD2B89}")
"Setup.exe" touched "PSFactoryBuffer" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{1299CF18-C4F5-4B6A-BB0F-2299F0398E27}")
"Setup.exe" touched "WinInetBroker Class" (Path: "HKCU\CLSID\{C39EE728-D419-4BD4-A3EF-EDA059DBD935}\TREATAS")
"Setup.exe" touched "Calculator" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"Setup.exe" touched "Retention Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"Setup.exe" touched "Property System Both Grade Factory" (Path: "HKCU\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\TREATAS")
"Setup.exe" touched "Namespace Walker" (Path: "HKCU\CLSID\{72EB61E0-8672-4303-9175-F2E4C68B2E7C}\TREATAS")
"Setup.exe" touched "Shell Re-create Hook" (Path: "HKCU\CLSID\{217FC9C0-3AEA-1069-A2DB-08002B30309D}\INPROCSERVER32")
"Setup.exe" touched "Trounce extensions for sharing" (Path: "HKCU\CLSID\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}\INPROCSERVER32")
"Setup.exe" touched "Share Managing director" (Path: "HKCU\CLSID\{EDB5F444-CB8D-445A-A523-EC5AB6EA33C7}\TREATAS")
"Setup.exe" touched "Inplace Share Engine" (Path: "HKCU\CLSID\{6311429E-2F1A-4777-880F-C7289FD10169}\TREATAS")
"taskkill.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}")
"taskkill.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}")
"taskkill.exe" touched "Microsoft WBEM (not)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"taskkill.exe" touched "Microsoft WBEM (not)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
"taskkill.exe" touched "Microsoft WBEM WbemClassObject Marshalling proxy" (Path: "HKCU\CLSID\{4590F812-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
"netsh.exe" touched "Nap Config Read class" (Path: "HKCU\CLSID\{EA4A0A43-1C8F-4C7B-A4B1-28ECBD96BA8C}")
"netsh.exe" touched "Quarantine Agent Management class" (Path: "HKCU\CLSID\{EB082BA1-DF8A-46BE-82F3-35BF9E9BE52F}") - source
- Registry Access
- relevance
- 3/10
- Process launched with changed surround
- details
- Process "cmd.exe" (Show Process) was launched with new surround variables: "__PROCESS_HISTORY="C:\Setup.exe""
Process "cmd.exe" (Evidence Process) was launched with new surround variables: "SEE_MASK_NOZONECHECKS="ane", VMwareCheckMode="0", A_WorkingDir="C:\""
Process "cmd.exe" (Show Process) was launched with new surround variables: "andydir="%PROGRAMFILES%\Andy", ANDY_ANDYAHK="one""
Process "cmd.exe" (Show Process) was launched with modified environment variables: "Path" - source
- Monitored Target
- relevance
- 10/10
- Runs crush commands
- details
- "/u /c doc "%TEMP%\Lang"" on 2020-3-11.02:27:59.169
"/u /c md "%PROGRAMFILES%\Andy"" on 2020-3-11.02:27:59.341
"/u /c taskkill /im AndyConsole.exe /F" on 2020-3-11.02:28:00.373
"/u /c taskkill /im vmware-tray.exe /F" on 2020-3-11.02:28:41.013
"/u /c taskkill /im vmware-kvm.exe /F" on 2020-3-xi.02:29:22.201
"/u /c taskkill /im vmware-vmx.exe /F" on 2020-3-xi.02:thirty:02.841
"/u /c taskkill /im vmware.exe /F" on 2020-three-xi.02:30:43.529
"/u /c taskkill /im vmplayer.exe /F" on 2020-iii-11.02:31:24.451
"/u /c taskkill /im AndyConsole.exe /f" on 2020-three-xi.02:32:05.138
"/u /c taskkill /im Andy.exe /f" on 2020-3-eleven.02:32:45.841
"/u /c taskkill /im HandyAndy.exe /f" on 2020-3-11.02:33:26.576
"/u /c taskkill /im AndyADB.exe /f" on 2020-three-11.02:34:07.279
"/u /c taskkill /im AndyDnD.exe /f" on 2020-iii-xi.02:34:48.123
"/u /c taskkill /im adb.exe /f" on 2020-iii-xi.02:35:28.779
"/u /c taskkill /im adb.exe /f" on 2020-3-eleven.02:36:49.482
"/u /c del /F /Q "%PROGRAMFILES%\Andy.*"" on 2020-3-11.02:38:10.154
"/u /c rd /S /Q "%PROGRAMFILES%\Andy.*"" on 2020-3-11.02:38:50.591
"/u /c del /F /S /Q "%PROGRAMFILES%\Andy"" on 2020-3-11.02:38:50.685
"/u /c rd /S /Q "%PROGRAMFILES%\Andy"" on 2020-three-11.02:38:52.498
"/u /c md "%PROGRAMFILES%\Andy"" on 2020-iii-11.02:38:53.607 - source
- Monitored Target
- relevance
- 5/10
- Scanning for window names
- details
- "Setup.exe" searching for class "Shell_TrayWnd"
"Setup.exe" searching for course "AutoHotkey" - source
- API Phone call
- relevance
- ten/ten
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
- Spawns new processes
- details
- Spawned process "cmd.exe" with commandline "/u /c md "%TEMP%\Lang"" (Prove Process)
Spawned process "cmd.exe" with commandline "/u /c md "%PROGRAMFILES%\Andy"" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im AndyConsole.exe /F" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im AndyConsole.exe /F" (Show Procedure)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmware-tray.exe /F" (Show Procedure)
Spawned process "taskkill.exe" with commandline "taskkill /im vmware-tray.exe /F" (Show Procedure)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmware-kvm.exe /F" (Show Process)
Spawned procedure "taskkill.exe" with commandline "taskkill /im vmware-kvm.exe /F" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmware-vmx.exe /F" (Evidence Process)
Spawned process "taskkill.exe" with commandline "taskkill /im vmware-vmx.exe /F" (Show Process)
Spawned procedure "cmd.exe" with commandline "/u /c taskkill /im vmware.exe /F" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im vmware.exe /F" (Bear witness Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmplayer.exe /F" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im vmplayer.exe /F" (Prove Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im AndyConsole.exe /f" (Show Procedure)
Spawned process "taskkill.exe" with commandline "taskkill /im AndyConsole.exe /f" (Show Process)
Spawned procedure "cmd.exe" with commandline "/u /c taskkill /im Andy.exe /f" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im Andy.exe /f" (Prove Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im HandyAndy.exe /f" (Show Process)
Spawned procedure "taskkill.exe" with commandline "taskkill /im HandyAndy.exe /f" (Prove Procedure) - source
- Monitored Target
- relevance
- iii/10
- Spawns new processes that are not known child processes
- details
- Spawned process "cmd.exe" with commandline "/u /c medico "%TEMP%\Lang"" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c doc "%PROGRAMFILES%\Andy"" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im AndyConsole.exe /F" (Evidence Process)
Spawned process "taskkill.exe" with commandline "taskkill /im AndyConsole.exe /F" (Bear witness Procedure)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmware-tray.exe /F" (Testify Process)
Spawned process "taskkill.exe" with commandline "taskkill /im vmware-tray.exe /F" (Testify Process)
Spawned procedure "cmd.exe" with commandline "/u /c taskkill /im vmware-kvm.exe /F" (Testify Process)
Spawned process "taskkill.exe" with commandline "taskkill /im vmware-kvm.exe /F" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmware-vmx.exe /F" (Prove Process)
Spawned process "taskkill.exe" with commandline "taskkill /im vmware-vmx.exe /F" (Bear witness Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmware.exe /F" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im vmware.exe /F" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im vmplayer.exe /F" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im vmplayer.exe /F" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im AndyConsole.exe /f" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im AndyConsole.exe /f" (Bear witness Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im Andy.exe /f" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im Andy.exe /f" (Show Process)
Spawned process "cmd.exe" with commandline "/u /c taskkill /im HandyAndy.exe /f" (Show Process)
Spawned process "taskkill.exe" with commandline "taskkill /im HandyAndy.exe /f" (Show Process) - source
- Monitored Target
- relevance
- 3/x
- The input sample is signed with a certificate
- details
- The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1; encounter report for more than information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:nineteen:2nd:6F:F2:43:E6:76:7A:DF:08:34:E4; see study for more data)
The input sample is signed with a certificate issued by "CN=Symantec Form 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=United states of america" (SHA1: 36:87:D9:x:2F:73:45:seventy:49:9C:F4:E9:8D:EB:3C:D7:B8:DB:48:CA; meet study for more information)
The input sample is signed with a certificate issued by "CN=VeriSign Grade iii Public Primary Certification Dominance - G5, OU="c 2006 VeriSign
Inc. - For authorized use just", OU=VeriSign Trust Network, O="VeriSign
Inc.", C=US" (SHA1: 00:77:xc:F6:56:1D:AD:89:B0:BC:D8:55:85:76:24:95:E3:58:F8:A5; see written report for more information) - source
- Certificate Data
- relevance
- x/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
- Contacts domains
- Installation/Persistance
- Contains ability to lookup the windows account proper noun
- details
- GetUserNameW@ADVAPI32.dll at 44670-3849-007340DC
- source
- Hybrid Assay Technology
- relevance
- v/10
- Dropped files
- details
- "xz.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Setup_de-DE.ini" has type "ISO-8859 text"
"Setup_en-United states of america.ini" has type "ASCII text"
"GATickError.txt" has blazon "ASCII text with CRLF line terminators"
"10.png" has blazon "PNG image data 12 x 12 eight-bit/colour RGBA not-interlaced"
"ane.txt" has blazon "ASCII text with CRLF line terminators"
"Inst.png" has type "PNG image information 581 x 422 8-fleck/color RGB not-interlaced" - source
- Extracted File
- relevance
- 3/ten
- Touches files in the Windows directory
- details
- "Setup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"Setup.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"Setup.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"Setup.exe" touched file "C:\Windows\AppPatch\AcGenral.dll"
"Setup.exe" touched file "C:\Windows\System32\en-United states\msctf.dll.mui"
"Setup.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"Setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"Setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.one.ver0x000000000000001f.db"
"Setup.exe" touched file "C:\Windows\System32\en-US\shell32.dll.mui"
"Setup.exe" touched file "C:\Windows\System32\rsaenh.dll"
"Setup.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"Setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"Setup.exe" touched file "C:\Windows\System32\wshqos.dll"
"Setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Cyberspace Files\counters.dat"
"Setup.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"Setup.exe" touched file "C:\Windows\System32\imageres.dll"
"Setup.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches" - source
- API Telephone call
- relevance
- seven/ten
- Contains ability to lookup the windows account proper noun
- Network Related
- Found potential URL in binary/memory
- details
- Blueprint match: "http://andyroid.internet/terms-atmospheric condition?tmpl=component&task=preview"
Blueprint match: "www.andyroid.net"
Pattern match: "http://%GAserver%:%GAport%/installer/study/ane/?cmd`="
Blueprint lucifer: "http://s2.symcb.com0"
Blueprint match: "http://www.symauth.com/cps0"
Pattern lucifer: "http://www.symauth.com/rpa00"
Pattern match: "http://s1.symcb.com/pca3-g5.crl0"
Pattern match: "http://sv.symcb.com/sv.crl0a"
Design friction match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Blueprint match: "http://sv.symcd.com0&"
Pattern match: "http://sv.symcb.com/sv.crt0"
Pattern lucifer: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "http://ocsp.thawte.com0"
Pattern friction match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ahkscript.org"
Heuristic match: "Publish Speed Exam Result at usbspeed.nirsoft.net"
Heuristic match: "I agree to publish the higher up speed examination information in usbspeed.nirsoft.cyberspace"
Heuristic match: "api.andyroid.internet" - source
- String
- relevance
- 10/x
- Found potential URL in binary/memory
- Organization Security
- Creates or modifies windows services
- details
- "Setup.exe" (Admission type: "CREATE"; Path: "HKLM\Arrangement\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NAPAGENT\LOCALCONFIG")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\ENROLL\HCSGROUPS")
"netsh.exe" (Access type: "CREATE"; Path: "HKLM\Organisation\CURRENTCONTROLSET\SERVICES\NAPAGENT\SHAS")
"netsh.exe" (Admission type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NAPAGENT\QECS")
"netsh.exe" (Access blazon: "CREATE"; Path: "HKLM\Organisation\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI") - source
- Registry Access
- relevance
- x/ten
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
- Opens the Kernel Security Device Commuter (KsecDD) of Windows
- details
- "Setup.exe" opened "\Device\KsecDD"
"taskkill.exe" opened "\Device\KsecDD"
"netsh.exe" opened "\Device\KsecDD" - source
- API Telephone call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Evidence technique in the MITRE ATT&CK™ matrix)
- Creates or modifies windows services
- Unusual Characteristics
- Matched Compiler/Packer signature
- details
- "362a0b32cbba8bdcade0956dc3cc670dc0fd51d8e7b2224928ea2b3a04e109ff.bin" was detected equally "VC8 -> Microsoft Corporation"
"xz.dll" was detected as "Armadillo v1.xx - v2.20" - source
- Static Parser
- relevance
- ten/x
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
- Matched Compiler/Packer signature
File Details
All Details:
Setup.exe
- Filename
- Setup.exe
- Size
- 4.4MiB (4662416 bytes)
- Type
- peexe executable
- Clarification
- PE32 executable (GUI) Intel 80386, for MS Windows
- Compages
- WINDOWS
- SHA256
- 362a0b32cbba8bdcade0956dc3cc670dc0fd51d8e7b2224928ea2b3a04e109ff
- Compiler/Packer
- VC8 -> Microsoft Corporation
Version Info
- LegalCopyright
- Copyright 2014-2016 Andy OS, inc.
- InternalName
- Setup.exe
- FileVersion
- 46.16.66.0
- CompanyName
- Andy OS, inc.
- ProductName
- Andy
- ProductVersion
- 46.16.66.0
- FileDescription
- Setup
- OriginalFilename
- Setup.exe
- Translation
- 0x0000 0x04b0
Classification (TrID)
- 49.four% (.AX) DirectShow filter
- 28.5% (.OCX) Windows ActiveX control
- 10.1% (.EXE) Win32 EXE PECompact compressed (generic)
- 7.6% (.EXE) Win32 Executable MS Visual C++ (generic)
- 1.6% (.DLL) Win32 Dynamic Link Library (generic)
File Sections
| Details | |||||
|---|---|---|---|---|---|
Screenshots
Loading content, please expect...
- CPU Usage
- Committed Bytes
- Disk Read Bytes/sec
- Deejay Write Bytes/sec
- Network Packets/sec
- Page File Bytes
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 73 processes in total (System Resource Monitor).
-
Setup.exe (PID: 2052) 2/83
Network Analysis
DNS Requests
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
Extracted Files
Notifications
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for cmd.exe (PID: 1108)
- Not all file accesses are visible for cmd.exe (PID: 1528)
- Not all file accesses are visible for cmd.exe (PID: 1728)
- Non all file accesses are visible for cmd.exe (PID: 1868)
- Not all file accesses are visible for cmd.exe (PID: 2024)
- Not all file accesses are visible for cmd.exe (PID: 2160)
- Not all file accesses are visible for cmd.exe (PID: 2232)
- Not all file accesses are visible for cmd.exe (PID: 2284)
- Not all file accesses are visible for cmd.exe (PID: 2428)
- Not all file accesses are visible for cmd.exe (PID: 2780)
- Not all file accesses are visible for cmd.exe (PID: 2876)
- Non all file accesses are visible for cmd.exe (PID: 2908)
- Non all file accesses are visible for cmd.exe (PID: 3072)
- Non all file accesses are visible for cmd.exe (PID: 3120)
- Non all file accesses are visible for cmd.exe (PID: 3168)
- Non all file accesses are visible for cmd.exe (PID: 3188)
- Non all file accesses are visible for cmd.exe (PID: 3232)
- Non all file accesses are visible for cmd.exe (PID: 3264)
- Not all file accesses are visible for cmd.exe (PID: 3344)
- Non all file accesses are visible for cmd.exe (PID: 3388)
- Not all file accesses are visible for cmd.exe (PID: 3412)
- Non all file accesses are visible for cmd.exe (PID: 3468)
- Not all file accesses are visible for cmd.exe (PID: 3656)
- Not all file accesses are visible for cmd.exe (PID: 3760)
- Not all file accesses are visible for cmd.exe (PID: 3788)
- Non all file accesses are visible for cmd.exe (PID: 3792)
- Non all file accesses are visible for cmd.exe (PID: 3940)
- Not all file accesses are visible for cmd.exe (PID: 3960)
- Non all file accesses are visible for cmd.exe (PID: 4000)
- Not all file accesses are visible for cmd.exe (PID: 4008)
- Not all file accesses are visible for cmd.exe (PID: 4016)
- Not all file accesses are visible for cmd.exe (PID: 476)
- Not all file accesses are visible for cmd.exe (PID: 764)
- Not all file accesses are visible for cmd.exe (PID: 880)
- Non all file accesses are visible for icacls.exe (PID: 2064)
- Not all file accesses are visible for icacls.exe (PID: 2080)
- Not all file accesses are visible for icacls.exe (PID: 2092)
- Not all file accesses are visible for icacls.exe (PID: 2904)
- Not all file accesses are visible for icacls.exe (PID: 540)
- Not all file accesses are visible for netsh.exe (PID: 2720)
- Not all file accesses are visible for netsh.exe (PID: 3272)
- Not all file accesses are visible for netsh.exe (PID: 3332)
- Non all file accesses are visible for netsh.exe (PID: 3336)
- Not all file accesses are visible for netsh.exe (PID: 752)
- Not all file accesses are visible for takeown.exe (PID: 912)
- Not all file accesses are visible for taskkill.exe (PID: 1084)
- Non all file accesses are visible for taskkill.exe (PID: 1160)
- Not all file accesses are visible for taskkill.exe (PID: 1164)
- Not all file accesses are visible for taskkill.exe (PID: 1188)
- Not all file accesses are visible for taskkill.exe (PID: 1472)
- Not all file accesses are visible for taskkill.exe (PID: 1616)
- Non all file accesses are visible for taskkill.exe (PID: 1804)
- Non all file accesses are visible for taskkill.exe (PID: 1976)
- Not all file accesses are visible for taskkill.exe (PID: 2024)
- Not all file accesses are visible for taskkill.exe (PID: 2064)
- Not all file accesses are visible for taskkill.exe (PID: 2152)
- Not all file accesses are visible for taskkill.exe (PID: 2160)
- Not all file accesses are visible for taskkill.exe (PID: 2264)
- Not all file accesses are visible for taskkill.exe (PID: 2268)
- Not all file accesses are visible for taskkill.exe (PID: 2388)
- Not all file accesses are visible for taskkill.exe (PID: 2580)
- Non all file accesses are visible for taskkill.exe (PID: 2804)
- Not all file accesses are visible for taskkill.exe (PID: 2820)
- Non all file accesses are visible for taskkill.exe (PID: 2880)
- Non all file accesses are visible for taskkill.exe (PID: 3088)
- Not all file accesses are visible for taskkill.exe (PID: 3188)
- Not all file accesses are visible for taskkill.exe (PID: 3224)
- Not all file accesses are visible for taskkill.exe (PID: 3324)
- Non all file accesses are visible for taskkill.exe (PID: 3636)
- Not all file accesses are visible for taskkill.exe (PID: 3892)
- Not all file accesses are visible for taskkill.exe (PID: 892)
- Not all file accesses are visible for taskkill.exe (PID: 912)
- Not all sources for indicator ID "api-two" are available in the report
- Non all sources for indicator ID "api-37" are available in the study
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the study
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-35" are available in the written report
- Not all sources for indicator ID "registry-67" are bachelor in the report
- Not all sources for indicator ID "registry-72" are bachelor in the written report
- Not all sources for indicator ID "cord-1" are bachelor in the report
- Not all sources for indicator ID "string-64" are available in the study
- Not all sources for indicator ID "target-103" are bachelor in the study
- Not all sources for indicator ID "target-14" are available in the report
- Not all sources for indicator ID "target-25" are available in the study
- Not all sources for indicator ID "target-3" are available in the report
- Non all strings are visible in the report, considering the maximum number of strings was reached (5000)
- Some low-level data is subconscious, as this is only a slim report
- Some depression-level details are hidden from the report due to oversize
kohlerblevensight.blogspot.com
Source: https://www.hybrid-analysis.com/sample/362a0b32cbba8bdcade0956dc3cc670dc0fd51d8e7b2224928ea2b3a04e109ff/5e683e42fb28f45e6b06740b
0 Response to "Handyandy Has Detected an Error With Vmware Services. Please Run Andy Setup Os Setup Again"
Post a Comment